GH-1517: Add Geneve decap support

This patch adds the ability to decap Geneve packets to process the inner payload. The structure of the analyzer borrows heavily from the VXLAN analyzer.
2025-10-02 06:38:20 +00:00 · 2021-04-21 11:54:10 +02:00 · 2021-04-21 11:54:10 +02:00 · 5b2bf374fd
commit 5b2bf374fd
parent b44ae62ce4
15 changed files with 207 additions and 5 deletions
--- a/scripts/base/frameworks/tunnels/main.zeek
+++ b/scripts/base/frameworks/tunnels/main.zeek
@ -93,7 +93,7 @@ export {
 const ayiya_ports = { 5072/udp };
 const teredo_ports = { 3544/udp };
 const gtpv1_ports = { 2152/udp, 2123/udp };
-redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports };
+redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports, geneve_ports };

 event zeek_init() &priority=5
 	{
@ -103,6 +103,7 @@ event zeek_init() &priority=5
 	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_GENEVE, geneve_ports);
 	}

 function register_all(ecv: EncapsulatingConnVector)
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -5029,6 +5029,12 @@ export {
 	## if you customize this, you may still want to manually ensure that
 	## :zeek:see:`likely_server_ports` also gets populated accordingly.
 	const vxlan_ports: set[port] = { 4789/udp } &redef;
+
+	## The set of UDP ports used for Geneve traffic.  Traffic using this
+	## UDP destination port will attempt to be decapsulated.  Note that if
+	## if you customize this, you may still want to manually ensure that
+	## :zeek:see:`likely_server_ports` also gets populated accordingly.
+	const geneve_ports: set[port] = { 6081/udp } &redef;
 } # end export

 module Reporter;
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@ -9,6 +9,7 @@ add_subdirectory(dns)
 add_subdirectory(file)
 add_subdirectory(finger)
 add_subdirectory(ftp)
+add_subdirectory(geneve)
 add_subdirectory(gnutella)
 add_subdirectory(gssapi)
 add_subdirectory(gtpv1)
--- a/src/analyzer/protocol/geneve/CMakeLists.txt
+++ b/src/analyzer/protocol/geneve/CMakeLists.txt
@ -0,0 +1,8 @@
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(Zeek Geneve)
+zeek_plugin_cc(Geneve.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
--- a/src/analyzer/protocol/geneve/Geneve.cc
+++ b/src/analyzer/protocol/geneve/Geneve.cc
@ -0,0 +1,88 @@
+// See the file  in the main distribution directory for copyright.
+
+#include "zeek/analyzer/protocol/geneve/Geneve.h"
+
+#include "zeek/Conn.h"
+#include "zeek/IP.h"
+#include "zeek/RunState.h"
+#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
+
+#include "zeek/analyzer/protocol/geneve/events.bif.h"
+
+namespace zeek::analyzer::geneve {
+
+void Geneve_Analyzer::Done()
+	{
+	Analyzer::Done();
+	Event(udp_session_done);
+	}
+
+void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
+                                    uint64_t seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	// Outer Ethernet, IP, and UDP layers already skipped.
+	// Also, generic UDP analyzer already checked/guarantees caplen >= len.
+
+	constexpr auto tunnel_header_len = 8;
+
+	if ( len < tunnel_header_len )
+		{
+		ProtocolViolation("Geneve header truncation", reinterpret_cast<const char*>(data), len);
+		return;
+		}
+
+	auto outer = Conn()->GetEncapsulation();
+
+	if ( outer && outer->Depth() >= BifConst::Tunnel::max_depth )
+		{
+		Weird("tunnel_depth");
+		return;
+		}
+
+	if ( ! outer )
+		outer = std::make_shared<EncapsulationStack>();
+
+	EncapsulatingConn inner(Conn(), BifEnum::Tunnel::GENEVE);
+	outer->Add(inner);
+
+	auto tunnel_opt_len = data[0] << 1;
+	auto vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0);
+
+	if ( len < tunnel_header_len  + tunnel_opt_len )
+		{
+		ProtocolViolation("Geneve option header truncation", reinterpret_cast<const char*>(data), len);
+		return;
+		}
+
+	// Skip over the Geneve headers and create a new packet.
+	data += tunnel_header_len + tunnel_opt_len;
+	caplen -= tunnel_header_len + tunnel_opt_len;
+	len -= tunnel_header_len + tunnel_opt_len;
+
+	pkt_timeval ts;
+	ts.tv_sec = static_cast<time_t>(run_state::current_timestamp);
+	ts.tv_usec = static_cast<suseconds_t>((run_state::current_timestamp - static_cast<double>(ts.tv_sec)) * 1000000);
+	Packet pkt(DLT_EN10MB, &ts, caplen, len, data);
+	pkt.encap = outer;
+
+	if ( ! packet_mgr->ProcessInnerPacket(&pkt) )
+		{
+		ProtocolViolation("Geneve invalid inner packet");
+		return;
+		}
+
+	// This isn't really an error. It's just that the inner packet wasn't an IP packet (like ARP).
+	// Just return without reporting a violation.
+	if ( ! pkt.ip_hdr )
+		return;
+
+	ProtocolConfirmation();
+
+	if ( geneve_packet )
+		Conn()->EnqueueEvent(geneve_packet, nullptr, ConnVal(),
+		                     pkt.ip_hdr->ToPktHdrVal(), val_mgr->Count(vni));
+	}
+
+} // namespace zeek::analyzer::geneve
--- a/src/analyzer/protocol/geneve/Geneve.h
+++ b/src/analyzer/protocol/geneve/Geneve.h
@ -0,0 +1,24 @@
+// See the file  in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/analyzer/Analyzer.h"
+
+namespace zeek::analyzer::geneve {
+
+class Geneve_Analyzer final : public analyzer::Analyzer {
+public:
+	explicit Geneve_Analyzer(Connection* conn)
+	    : Analyzer("Geneve", conn)
+		{}
+
+	void Done() override;
+
+	void DeliverPacket(int len, const u_char* data, bool orig,
+	                   uint64_t seq, const IP_Hdr* ip, int caplen) override;
+
+	static analyzer::Analyzer* Instantiate(Connection* conn)
+		{ return new Geneve_Analyzer(conn); }
+};
+
+} // namespace zeek::analyzer::vxlan
--- a/src/analyzer/protocol/geneve/Plugin.cc
+++ b/src/analyzer/protocol/geneve/Plugin.cc
@ -0,0 +1,22 @@
+// See the file  in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+#include "zeek/analyzer/Component.h"
+#include "zeek/analyzer/protocol/geneve/Geneve.h"
+
+namespace zeek::plugin::detail::Zeek_Geneve {
+
+class Plugin : public zeek::plugin::Plugin {
+public:
+	zeek::plugin::Configuration Configure() override
+		{
+		AddComponent(new zeek::analyzer::Component("Geneve", zeek::analyzer::geneve::Geneve_Analyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::Geneve";
+		config.description = "Geneve analyzer";
+		return config;
+		}
+} plugin;
+
+} // namespace zeek::plugin::detail::Zeek_Geneve
--- a/src/analyzer/protocol/geneve/events.bif
+++ b/src/analyzer/protocol/geneve/events.bif
@ -0,0 +1,12 @@
+## Generated for any packet encapsulated in a Geneve tunnel.
+## See :rfc:`8926` for more information about the VXLAN protocol.
+##
+## outer: The Geneve tunnel connection.
+##
+## inner: The Geneve-encapsulated Ethernet packet header and transport header.
+##
+## vni: Geneve Network Identifier.
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event geneve_packet%(outer: connection, inner: pkt_hdr, vni: count%);
--- a/src/types.bif
+++ b/src/types.bif
@ -193,6 +193,7 @@ enum Type %{
 	HTTP,
 	GRE,
 	VXLAN,
+	GENEVE,
 %}

 type EncapsulatingConn: record;
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@ -37,6 +37,7 @@
 1 563
 1 585
 1 587
+1 6081
 1 614
 1 631
 1 636
@ -57,8 +58,8 @@
 1 992
 1 993
 1 995
-64 and
-63 or
-64 port
+65 and
+64 or
+65 port
 42 tcp
-22 udp
+23 udp
--- a/testing/btest/Baseline/core.tunnels.geneve/conn.log
+++ b/testing/btest/Baseline/core.tunnels.geneve/conn.log
@ -0,0 +1,15 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	192.168.56.12	12313	192.168.56.11	6081	udp	geneve	3.006029	424	0	S0	-	-	0	D	4	536	0	0	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.56.12	18896	192.168.56.11	6081	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.56.11	16613	192.168.56.12	6081	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	192.168.56.11	35671	192.168.56.12	6081	udp	geneve	3.006103	424	0	S0	-	-	0	D	4	536	0	0	-
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	10.0.0.1	8	10.0.0.2	0	icmp	-	3.006247	224	224	OTH	-	-	0	-	4	336	4	336	CUM0KZ3MLUfNB0cl11,C4J4Th3PJpwUYZZ6gc
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.tunnels.geneve/out
+++ b/testing/btest/Baseline/core.tunnels.geneve/out
@ -0,0 +1,9 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+geneve_packet, [orig_h=192.168.56.11, orig_p=35671/udp, resp_h=192.168.56.12, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=62447, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+geneve_packet, [orig_h=192.168.56.12, orig_p=12313/udp, resp_h=192.168.56.11, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=6052, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
+geneve_packet, [orig_h=192.168.56.11, orig_p=35671/udp, resp_h=192.168.56.12, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=62605, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+geneve_packet, [orig_h=192.168.56.12, orig_p=12313/udp, resp_h=192.168.56.11, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=6257, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
+geneve_packet, [orig_h=192.168.56.11, orig_p=35671/udp, resp_h=192.168.56.12, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=62848, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+geneve_packet, [orig_h=192.168.56.12, orig_p=12313/udp, resp_h=192.168.56.11, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=6281, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
+geneve_packet, [orig_h=192.168.56.11, orig_p=35671/udp, resp_h=192.168.56.12, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=63054, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+geneve_packet, [orig_h=192.168.56.12, orig_p=12313/udp, resp_h=192.168.56.11, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=6530, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@ -118,6 +118,7 @@ scripts/base/init-frameworks-and-bifs.zeek
    build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@ -118,6 +118,7 @@ scripts/base/init-frameworks-and-bifs.zeek
    build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -16,6 +16,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
@ -82,6 +83,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
@ -138,6 +140,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GENEVE, {6081/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp})) -> <no result>
@ -671,6 +674,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_HTTP.functions.bif.zeek, <...>/Zeek_HTTP.functions.bif.zeek) -> -1
@ -1020,6 +1024,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
@ -1086,6 +1091,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
@ -1142,6 +1148,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GENEVE, {6081/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp}))
@ -1675,6 +1682,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_HTTP.functions.bif.zeek, <...>/Zeek_HTTP.functions.bif.zeek)
@ -2024,6 +2032,7 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GENEVE, 6081/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
@ -2090,6 +2099,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GENEVE, 6081/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
@ -2146,6 +2156,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5353<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, {443/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GENEVE, {6081/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {80<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp})
@ -2678,6 +2689,7 @@
 0.000000 | HookLoadFile  ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek
+0.000000 | HookLoadFile  ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_HTTP.functions.bif.zeek <...>/Zeek_HTTP.functions.bif.zeek