Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 16:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix IEEE 802.11 analyzer to properly forward tunneled packets

Browse source 
This mostly happens with Aruba, but could possibly happen with other tunnels too.
This commit is contained in:
Tim Wojtulewicz 2023-04-13 17:11:23 -07:00 committed by Tim Wojtulewicz
parent e4a1c30828
commit 5b1c6216bd
3 changed files with 26 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

14
src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
View file

@ -103,5 +103,17 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
uint32_t protocol = (data[0] << 8) + data[1];
data += 2;
return ForwardPacket(len - len_80211, data, packet, protocol);
if ( packet->tunnel_type == BifEnum::Tunnel::NONE )
return ForwardPacket(len - len_80211, data, packet, protocol);
else
{
// For tunneled packets, reset the packet's protocol based on the one in the LLC header.
// This makes sure that the IP analyzer can process it correctly.
if ( protocol == 0x0800 )
packet->proto = IPPROTO_IPV4;
else if ( protocol == 0x86DD )
packet->proto = IPPROTO_IPV6;
return ForwardPacket(len - len_80211, data, packet, packet->proto);
}
}