diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index 75055a3e47..60c804f2fd 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -1,11 +1,11 @@ @load base/packet-protocols/default @load base/packet-protocols/ethernet -#@load base/packet-protocols/fddi -#@load base/packet-protocols/ieee802_11 -#@load base/packet-protocols/ieee802_11_radio -#@load base/packet-protocols/linux_sll -#@load base/packet-protocols/nflog -#@load base/packet-protocols/null -#@load base/packet-protocols/ppp_serial -#@load base/packet-protocols/pppoe -#@load base/packet-protocols/vlan +@load base/packet-protocols/fddi +@load base/packet-protocols/ieee802_11 +@load base/packet-protocols/ieee802_11_radio +@load base/packet-protocols/linux_sll +@load base/packet-protocols/nflog +@load base/packet-protocols/null +@load base/packet-protocols/ppp_serial +@load base/packet-protocols/pppoe +@load base/packet-protocols/vlan diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek index 05feb246db..efcbf8adb7 100644 --- a/scripts/base/packet-protocols/ethernet/main.zeek +++ b/scripts/base/packet-protocols/ethernet/main.zeek @@ -1,21 +1,26 @@ module PacketAnalyzer::Ethernet; +export { + ## IEEE 802.2 SNAP analyzer + const snap_analyzer: PacketAnalyzer::Tag &redef; + ## Novell raw IEEE 802.3 analyzer + const novell_raw_analyzer: PacketAnalyzer::Tag &redef; + ## IEEE 802.2 LLC analyzer + const llc_analyzer: PacketAnalyzer::Tag &redef; +} + const DLT_EN10MB : count = 1; redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($identifier=DLT_EN10MB, $analyzer=PacketAnalyzer::ANALYZER_ETHERNET), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) }; - -const snap_analyzer: PacketAnalyzer::Tag &redef; -const novell_raw_analyzer: PacketAnalyzer::Tag &redef; -const llc_analyzer: PacketAnalyzer::Tag &redef; diff --git a/scripts/base/packet-protocols/fddi/main.zeek b/scripts/base/packet-protocols/fddi/main.zeek index b503a143f1..372b098587 100644 --- a/scripts/base/packet-protocols/fddi/main.zeek +++ b/scripts/base/packet-protocols/fddi/main.zeek @@ -3,5 +3,6 @@ module LL_FDDI; const DLT_FDDI : count = 10; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI) + PacketAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_FDDI, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) }; diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index 3aeeea9d75..b318c514a3 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -76,4 +76,15 @@ AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet, return inner_analyzer->Analyze(packet, data); } +AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet, const uint8_t*& data) const + { + if ( default_analyzer ) + return default_analyzer->Analyze(packet, data); + + DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.", + GetAnalyzerName()); + packet->Weird("no_suitable_analyzer_found"); + return AnalyzerResult::Terminate; + } + } \ No newline at end of file diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index 80191d61fe..a52ab4d8df 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -125,6 +125,17 @@ protected: virtual AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, uint32_t identifier) const; + /** + * Triggers default analysis of the encapsulated packet if the default analyzer + * is set. + * + * @param packet The packet to analyze. + * @param data Reference to the payload pointer into the raw packet. + * + * @return The outcome of the analysis. + */ + AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data) const; + private: Tag tag; Dispatcher dispatcher; diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index df1e5ca0d3..fbcef0f2c9 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -1,18 +1,18 @@ add_subdirectory(default) -#add_subdirectory(wrapper) -#add_subdirectory(null) +add_subdirectory(wrapper) +add_subdirectory(null) add_subdirectory(ethernet) -#add_subdirectory(vlan) -#add_subdirectory(pppoe) -#add_subdirectory(ppp_serial) -#add_subdirectory(ieee802_11) -#add_subdirectory(ieee802_11_radio) -#add_subdirectory(fddi) -#add_subdirectory(nflog) -#add_subdirectory(mpls) -#add_subdirectory(linux_sll) -# -#add_subdirectory(arp) +add_subdirectory(vlan) +add_subdirectory(pppoe) +add_subdirectory(ppp_serial) +add_subdirectory(ieee802_11) +add_subdirectory(ieee802_11_radio) +add_subdirectory(fddi) +add_subdirectory(nflog) +add_subdirectory(mpls) +add_subdirectory(linux_sll) + +add_subdirectory(arp) add_subdirectory(ipv4) add_subdirectory(ipv6) diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc index eec4f72860..27d71d807d 100644 --- a/src/packet_analysis/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -9,11 +9,11 @@ ARPAnalyzer::ARPAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple ARPAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult ARPAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { // TODO: Make ARP analyzer a native packet analyzer packet->l3_proto = L3_ARP; // Leave packet analyzer land - return { AnalyzerResult::Terminate, 0 }; + return AnalyzerResult::Terminate; } diff --git a/src/packet_analysis/protocol/arp/ARP.h b/src/packet_analysis/protocol/arp/ARP.h index 9bd1c8a009..a6a7a445c1 100644 --- a/src/packet_analysis/protocol/arp/ARP.h +++ b/src/packet_analysis/protocol/arp/ARP.h @@ -12,7 +12,7 @@ public: ARPAnalyzer(); ~ARPAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/fddi/FDDI.cc b/src/packet_analysis/protocol/fddi/FDDI.cc index 8cf503f85a..25235cca3e 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.cc +++ b/src/packet_analysis/protocol/fddi/FDDI.cc @@ -10,17 +10,17 @@ FDDIAnalyzer::FDDIAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple FDDIAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult FDDIAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { auto hdr_size = 13 + 8; // FDDI header + LLC if ( data + hdr_size >= packet->GetEndOfData() ) { packet->Weird("FDDI_analyzer_failed"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // We just skip the header and hope for default analysis data += hdr_size; - return { AnalyzerResult::Continue, -1 }; + return AnalyzeInnerPacket(packet, data); } diff --git a/src/packet_analysis/protocol/fddi/FDDI.h b/src/packet_analysis/protocol/fddi/FDDI.h index adb87d8dd7..4219529c6a 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.h +++ b/src/packet_analysis/protocol/fddi/FDDI.h @@ -12,7 +12,7 @@ public: FDDIAnalyzer(); ~FDDIAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc index a0e6eb999f..f0a9720605 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc @@ -10,7 +10,7 @@ IEEE802_11Analyzer::IEEE802_11Analyzer() { } -zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); @@ -19,18 +19,18 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p if ( data + len_80211 >= end_of_data ) { packet->Weird("truncated_802_11_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } u_char fc_80211 = data[0]; // Frame Control field // Skip non-data frame types (management & control). if ( ! ((fc_80211 >> 2) & 0x02) ) - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; // Skip subtypes without data. if ( (fc_80211 >> 4) & 0x04 ) - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; // 'To DS' and 'From DS' flags set indicate use of the 4th // address field. @@ -43,7 +43,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p // Skip in case of A-MSDU subframes indicated by QoS // control field. if ( data[len_80211] & 0x80 ) - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; len_80211 += 2; } @@ -51,7 +51,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p if ( data + len_80211 >= end_of_data ) { packet->Weird("truncated_802_11_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // Determine link-layer addresses based @@ -85,7 +85,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p if ( data + 8 >= end_of_data ) { packet->Weird("truncated_802_11_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // Check that the DSAP and SSAP are both SNAP and that the control @@ -102,11 +102,11 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p // If this is a logical link control frame without the // possibility of having a protocol we care about, we'll // just skip it for now. - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } uint32_t protocol = (data[0] << 8) + data[1]; data += 2; - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h index beccbd59d9..842f182bcd 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h @@ -12,7 +12,7 @@ public: IEEE802_11Analyzer(); ~IEEE802_11Analyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc index 26bdf9f041..703906ac82 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc @@ -12,14 +12,14 @@ IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); if ( data + 3 >= end_of_data ) { packet->Weird("truncated_radiotap_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // Skip over the RadioTap header @@ -28,10 +28,10 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Pac if ( data + rtheader_len >= end_of_data ) { packet->Weird("truncated_radiotap_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } data += rtheader_len; - return { AnalyzerResult::Continue, DLT_IEEE802_11 }; + return AnalyzeInnerPacket(packet, data, DLT_IEEE802_11); } diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h index 1c50c07dbd..e9f306ef26 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h @@ -12,7 +12,7 @@ public: IEEE802_11_RadioAnalyzer(); ~IEEE802_11_RadioAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc index 56149c42f1..740b63a518 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc @@ -9,12 +9,12 @@ LinuxSLLAnalyzer::LinuxSLLAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult LinuxSLLAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + sizeof(SLLHeader) >= packet->GetEndOfData() ) { packet->Weird("truncated_Linux_SLL_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } //TODO: Handle different ARPHRD_types @@ -28,5 +28,5 @@ zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* pac packet->l2_dst = Packet::L2_EMPTY_ADDR; data += sizeof(SLLHeader); - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h index f9519b214f..b62b3a3f59 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h @@ -12,7 +12,7 @@ public: LinuxSLLAnalyzer(); ~LinuxSLLAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/mpls/MPLS.cc b/src/packet_analysis/protocol/mpls/MPLS.cc index 2d507a4fc8..962e206239 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.cc +++ b/src/packet_analysis/protocol/mpls/MPLS.cc @@ -9,7 +9,7 @@ MPLSAnalyzer::MPLSAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); @@ -21,7 +21,7 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet, if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } end_of_stack = *(data + 2u) & 0x01; @@ -33,7 +33,7 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet, if ( data + sizeof(struct ip) >= end_of_data ) { packet->Weird("no_ip_in_mpls_payload"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } auto ip = (const struct ip*)data; @@ -46,9 +46,9 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet, { // Neither IPv4 nor IPv6. packet->Weird("no_ip_in_mpls_payload"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } packet->hdr_size = (data - packet->data); - return { AnalyzerResult::Terminate, 0 }; + return AnalyzerResult::Terminate; } diff --git a/src/packet_analysis/protocol/mpls/MPLS.h b/src/packet_analysis/protocol/mpls/MPLS.h index 61439ee4c4..caade44f94 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.h +++ b/src/packet_analysis/protocol/mpls/MPLS.h @@ -12,7 +12,7 @@ public: MPLSAnalyzer(); ~MPLSAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/nflog/NFLog.cc b/src/packet_analysis/protocol/nflog/NFLog.cc index 3b5fc3a86a..e2b7c218d2 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.cc +++ b/src/packet_analysis/protocol/nflog/NFLog.cc @@ -10,7 +10,7 @@ NFLogAnalyzer::NFLogAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { +zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); // See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html @@ -20,7 +20,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet if ( version != 0 ) { packet->Weird("unknown_nflog_version"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // Skip to TLVs. @@ -34,7 +34,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet if ( data + 4 >= end_of_data ) { packet->Weird("nflog_no_pcap_payload"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // TLV Type and Length values are specified in host byte order @@ -61,7 +61,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet if ( tlv_len < 4 ) { packet->Weird("nflog_bad_tlv_len"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } else { @@ -75,5 +75,5 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet } } - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/nflog/NFLog.h b/src/packet_analysis/protocol/nflog/NFLog.h index bc5b34eb2a..6cb1335373 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.h +++ b/src/packet_analysis/protocol/nflog/NFLog.h @@ -12,7 +12,7 @@ public: NFLogAnalyzer(); ~NFLogAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/null/Null.cc b/src/packet_analysis/protocol/null/Null.cc index 5c61a53897..bac13dcf07 100644 --- a/src/packet_analysis/protocol/null/Null.cc +++ b/src/packet_analysis/protocol/null/Null.cc @@ -10,16 +10,16 @@ NullAnalyzer::NullAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple NullAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult NullAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + 4 >= packet->GetEndOfData() ) { packet->Weird("null_analyzer_failed"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } uint32_t protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0]; data += 4; // skip link header - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/null/Null.h b/src/packet_analysis/protocol/null/Null.h index 1df209225a..d25cf8a2d9 100644 --- a/src/packet_analysis/protocol/null/Null.h +++ b/src/packet_analysis/protocol/null/Null.h @@ -12,7 +12,7 @@ public: NullAnalyzer(); ~NullAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc index da28fc6dc4..9ec9596c11 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc @@ -10,11 +10,11 @@ PPPSerialAnalyzer::PPPSerialAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple PPPSerialAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult PPPSerialAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { // Extract protocol identifier uint32_t protocol = (data[2] << 8) + data[3]; data += 4; // skip link header - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h index 75003f4242..c10c34d92e 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h @@ -12,7 +12,7 @@ public: PPPSerialAnalyzer(); ~PPPSerialAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.cc b/src/packet_analysis/protocol/pppoe/PPPoE.cc index 53b004b733..899f62d512 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.cc +++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc @@ -10,17 +10,17 @@ PPPoEAnalyzer::PPPoEAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple PPPoEAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult PPPoEAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + 8 >= packet->GetEndOfData() ) { packet->Weird("truncated_pppoe_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // Extract protocol identifier uint32_t protocol = (data[6] << 8u) + data[7]; data += 8; // Skip the PPPoE session and PPP header - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.h b/src/packet_analysis/protocol/pppoe/PPPoE.h index cbb08fabc1..164a96b8e6 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.h +++ b/src/packet_analysis/protocol/pppoe/PPPoE.h @@ -12,7 +12,7 @@ public: PPPoEAnalyzer(); ~PPPoEAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc index 84fcfe28dd..364e1c9096 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.cc +++ b/src/packet_analysis/protocol/vlan/VLAN.cc @@ -10,12 +10,12 @@ VLANAnalyzer::VLANAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult VLANAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + 4 >= packet->GetEndOfData() ) { packet->Weird("truncated_VLAN_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan; @@ -25,5 +25,5 @@ zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet, packet->eth_type = protocol; data += 4; // Skip the VLAN header - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/vlan/VLAN.h b/src/packet_analysis/protocol/vlan/VLAN.h index 94446c0766..d2169374f1 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.h +++ b/src/packet_analysis/protocol/vlan/VLAN.h @@ -12,7 +12,7 @@ public: VLANAnalyzer(); ~VLANAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.cc b/src/packet_analysis/protocol/wrapper/Wrapper.cc index eed1087acf..ea04b3a8c9 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.cc +++ b/src/packet_analysis/protocol/wrapper/Wrapper.cc @@ -10,7 +10,7 @@ WrapperAnalyzer::WrapperAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { // Unfortunately some packets on the link might have MPLS labels // while others don't. That means we need to ask the link-layer if @@ -27,7 +27,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack if ( data + cfplen + 14 >= end_of_data ) { packet->Weird("truncated_link_header_cfp"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } data += cfplen; @@ -57,7 +57,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan; @@ -75,7 +75,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack if ( data + 8 >= end_of_data ) { packet->Weird("truncated_link_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } protocol = (data[6] << 8u) + data[7]; @@ -89,7 +89,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack { // Neither IPv4 nor IPv6. packet->Weird("non_ip_packet_in_pppoe_encapsulation"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } } break; @@ -113,7 +113,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack { // Neither IPv4 nor IPv6. packet->Weird("non_ip_packet_in_ethernet"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } } @@ -127,7 +127,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } end_of_stack = *(data + 2u) & 0x01; @@ -138,7 +138,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack if ( data + sizeof(struct ip) >= end_of_data ) { packet->Weird("no_ip_in_mpls_payload"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } const struct ip* ip = (const struct ip*)data; @@ -151,12 +151,12 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack { // Neither IPv4 nor IPv6. packet->Weird("no_ip_in_mpls_payload"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } } // Calculate how much header we've used up. packet->hdr_size = (data - packet->data); - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.h b/src/packet_analysis/protocol/wrapper/Wrapper.h index 38fb6ca268..20ddd66fb5 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.h +++ b/src/packet_analysis/protocol/wrapper/Wrapper.h @@ -12,7 +12,7 @@ public: WrapperAnalyzer(); ~WrapperAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/testing/btest/Baseline/core.raw_packet/output b/testing/btest/Baseline/core.raw_packet/output index b9e82f8b70..c642d3cd0b 100644 --- a/testing/btest/Baseline/core.raw_packet/output +++ b/testing/btest/Baseline/core.raw_packet/output @@ -1,15 +1,18 @@ [l2=[encap=LINK_ETHERNET, len=215, cap_len=215, src=e8:de:27:ff:c0:78, dst=ff:ff:ff:ff:ff:ff, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=201, id=0, ttl=64, p=17, src=192.168.1.1, dst=255.255.255.255], ip6=, tcp=, udp=[sport=40190/udp, dport=7437/udp, ulen=181], icmp=] [l2=[encap=LINK_ETHERNET, len=68, cap_len=68, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=54, id=52261, ttl=64, p=6, src=192.168.1.103, dst=64.4.23.176], ip6=, tcp=[sport=65493/tcp, dport=40031/tcp, seq=2642773190, ack=2891276360, hl=32, dl=2, reserved=0, flags=24, win=4096], udp=, icmp=] +[l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=, inner_vlan=, eth_type=38, proto=L3_UNKNOWN], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=32575, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=, tcp=, udp=[sport=65170/udp, dport=53/udp, ulen=44], icmp=] [l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=55466, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=, tcp=, udp=[sport=53129/udp, dport=53/udp, ulen=44], icmp=] [l2=[encap=LINK_ETHERNET, len=92, cap_len=92, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=78, id=32240, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=, tcp=, udp=[sport=53129/udp, dport=53/udp, ulen=58], icmp=] [l2=[encap=LINK_ETHERNET, len=85, cap_len=85, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=71, id=53895, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=, tcp=, udp=[sport=57932/udp, dport=53/udp, ulen=51], icmp=] +[l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=, inner_vlan=, eth_type=38, proto=L3_UNKNOWN], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=42, cap_len=42, src=00:50:56:3e:93:6b, dst=ff:ff:ff:ff:ff:ff, vlan=, inner_vlan=, eth_type=2054, proto=L3_ARP], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=42, cap_len=42, src=00:50:56:3e:93:6b, dst=ff:ff:ff:ff:ff:ff, vlan=, inner_vlan=, eth_type=2054, proto=L3_ARP], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=307, cap_len=307, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=293, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=, tcp=, udp=[sport=45335/udp, dport=1900/udp, ulen=273], icmp=] [l2=[encap=LINK_ETHERNET, len=316, cap_len=316, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=302, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=, tcp=, udp=[sport=45335/udp, dport=1900/udp, ulen=282], icmp=] [l2=[encap=LINK_ETHERNET, len=379, cap_len=379, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=365, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=, tcp=, udp=[sport=45335/udp, dport=1900/udp, ulen=345], icmp=] [l2=[encap=LINK_ETHERNET, len=371, cap_len=371, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=357, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=, tcp=, udp=[sport=45335/udp, dport=1900/udp, ulen=337], icmp=] +[l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=, inner_vlan=, eth_type=38, proto=L3_UNKNOWN], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=355, cap_len=355, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=341, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=, tcp=, udp=[sport=45335/udp, dport=1900/udp, ulen=321], icmp=] [l2=[encap=LINK_ETHERNET, len=42, cap_len=42, src=00:50:56:3e:93:6b, dst=ff:ff:ff:ff:ff:ff, vlan=, inner_vlan=, eth_type=2054, proto=L3_ARP], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=387, cap_len=387, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=373, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=, tcp=, udp=[sport=45335/udp, dport=1900/udp, ulen=353], icmp=] @@ -27,6 +30,7 @@ [l2=[encap=LINK_ETHERNET, len=112, cap_len=112, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=98, id=85, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176077, ack=445274652, hl=32, dl=46, reserved=0, flags=24, win=4096], udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=97, cap_len=97, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=83, id=28558, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176123, ack=445274652, hl=32, dl=31, reserved=0, flags=24, win=4096], udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=36529, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176154, ack=445274652, hl=32, dl=0, reserved=0, flags=17, win=4096], udp=, icmp=] +[l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=, inner_vlan=, eth_type=38, proto=L3_UNKNOWN], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:19:06:ea:b8:c1, dst=ff:ff:ff:ff:ff:ff, vlan=123, inner_vlan=, eth_type=2054, proto=L3_ARP], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:18:73:de:57:c1, dst=ff:ff:ff:ff:ff:ff, vlan=123, inner_vlan=, eth_type=2054, proto=L3_ARP], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:18:73:de:57:c1, dst=ff:ff:ff:ff:ff:ff, vlan=123, inner_vlan=, eth_type=2054, proto=L3_ARP], ip=, ip6=, tcp=, udp=, icmp=] diff --git a/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/Bar/base/main.zeek b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/Bar/base/main.zeek index a0c4fa6757..b0cc2f1249 100644 --- a/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/Bar/base/main.zeek +++ b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/Bar/base/main.zeek @@ -1,5 +1,3 @@ module Packet_BAR; -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=1501, $analyzer=PacketAnalyzer::ANALYZER_BAR), -}; +redef PacketAnalyzer::Ethernet::llc_analyzer = PacketAnalyzer::ANALYZER_BAR; \ No newline at end of file diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc index f0588e7627..27cf68235c 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc @@ -10,7 +10,7 @@ Bar::Bar() { } -zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult Bar::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); @@ -18,7 +18,7 @@ zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet, const ui if ( data + 17 >= end_of_data ) { packet->Weird("truncated_llc_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } auto dsap = data[14]; @@ -30,5 +30,5 @@ zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet, const ui val_mgr->Count(ssap), val_mgr->Count(control)); - return { AnalyzerResult::Terminate, 0 }; + return AnalyzerResult::Terminate; } diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h index 83f0bf6ce9..ad1ee8185e 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h @@ -10,7 +10,7 @@ public: Bar(); ~Bar() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static AnalyzerPtr Instantiate() {