GH-1125: Support GRE ARUBA headers

src/packet_analysis/protocol/gre/GRE.cc

@@ -85,7 +85,6 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 				{
 				eth_len = 14;
 				gre_link_type = DLT_EN10MB;
-				proto_typ = ntohs(*((uint16_t*)(data + gre_len + eth_len - 2)));
 				}
 			else
 				{
@@ -113,7 +112,6 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 						return false;
 						}
 					}
-				proto_typ = ntohs(*((uint16_t*)(data + gre_len + erspan_len + eth_len - 2)));
 				}
 			else
 				{
@@ -144,8 +142,32 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 						return false;
 						}
 					}
+				}
+			else
+				{
+				Weird("truncated_GRE", packet);
+				return false;
+				}
+			}
 
-				proto_typ = ntohs(*((uint16_t*)(data + gre_len + erspan_len + eth_len - 2)));
+		else if ( proto_typ == 0x8200 )
+			{
+			// ARUBA. Following headers seem like they're always a 26-byte 802.11 QoS header, then
+			// an 8-byte LLC header, then IPv4. There's very little in the way of documentation
+			// for ARUBA's header format. This is all based on the one sample file we have that
+			// contains it.
+			if ( len > gre_len + 34 )
+				{
+				gre_link_type = DLT_EN10MB;
+				erspan_len = 34;
+
+				// TODO: fix this, but it's gonna require quite a bit more surgery to the GRE
+				// analyzer to make it more independent from the IPTunnel analyzer.
+				// Setting gre_version to 1 here tricks the IPTunnel analyzer into treating the
+				// first header as IP instead of Ethernet which it does by default when
+				// gre_version is 0.
+				gre_version = 1;
+				proto = (data[gre_len + 34] & 0xF0) >> 4;
 				}
 			else
 				{
@@ -187,7 +209,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}
 
-	if ( gre_version == 1 )
+	if ( gre_version == 1 && proto_typ != 0x8200 )
 		{
 		uint16_t ppp_proto = ntohs(*((uint16_t*)(data + gre_len + 2)));
 

src/packet_analysis/protocol/iptunnel/IPTunnel.cc

@@ -84,13 +84,12 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 		tunnel_it->second.second = zeek::run_state::network_time;
 
 	if ( gre_version == 0 )
-		ProcessEncapsulatedPacket(run_state::processing_start_time, packet, len, len, data,
-		                          gre_link_type, packet->encap, ip_tunnels[tunnel_idx].first);
-	else
-		ProcessEncapsulatedPacket(run_state::processing_start_time, packet, inner, packet->encap,
+		return ProcessEncapsulatedPacket(run_state::processing_start_time, packet, len, len, data,
+		                                 gre_link_type, packet->encap,
 		                                 ip_tunnels[tunnel_idx].first);
-
-	return true;
+	else
+		return ProcessEncapsulatedPacket(run_state::processing_start_time, packet, inner,
+		                                 packet->encap, ip_tunnels[tunnel_idx].first);
 	}
 
 /**

testing/btest/Baseline/core.tunnels.gre-aruba/tunnel.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.3.34.171	0	10.33.10.23	0	Tunnel::GRE	Tunnel::DISCOVER
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/core/tunnels/gre-aruba.zeek

@@ -0,0 +1,4 @@
+# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba.pcap %INPUT
+# @TEST-EXEC: btest-diff tunnel.log
+
+@load base/frameworks/tunnels