Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 17:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Migrate all packet analyzers to new API.

Browse source
This commit is contained in:
Jan Grashoefer 2020-08-24 17:34:42 +02:00 committed by Tim Wojtulewicz
parent cbdaa53f85
commit 6365fa6d80
34 changed files with 135 additions and 105 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/packet_analysis/Analyzer.cc
View file

@ -76,4 +76,15 @@ AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet,
return inner_analyzer->Analyze(packet, data);
}
AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet, const uint8_t*& data) const
{
if ( default_analyzer )
return default_analyzer->Analyze(packet, data);
DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.",
GetAnalyzerName());
packet->Weird("no_suitable_analyzer_found");
return AnalyzerResult::Terminate;
}
}

11
src/packet_analysis/Analyzer.h
View file

@ -125,6 +125,17 @@ protected:
virtual AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data,
uint32_t identifier) const;
/**
* Triggers default analysis of the encapsulated packet if the default analyzer
* is set.
*
* @param packet The packet to analyze.
* @param data Reference to the payload pointer into the raw packet.
*
* @return The outcome of the analysis.
*/
AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data) const;
private:
Tag tag;
Dispatcher dispatcher;

26
src/packet_analysis/protocol/CMakeLists.txt
View file

@ -1,18 +1,18 @@
add_subdirectory(default)
#add_subdirectory(wrapper)
#add_subdirectory(null)
add_subdirectory(wrapper)
add_subdirectory(null)
add_subdirectory(ethernet)
#add_subdirectory(vlan)
#add_subdirectory(pppoe)
#add_subdirectory(ppp_serial)
#add_subdirectory(ieee802_11)
#add_subdirectory(ieee802_11_radio)
#add_subdirectory(fddi)
#add_subdirectory(nflog)
#add_subdirectory(mpls)
#add_subdirectory(linux_sll)
#
#add_subdirectory(arp)
add_subdirectory(vlan)
add_subdirectory(pppoe)
add_subdirectory(ppp_serial)
add_subdirectory(ieee802_11)
add_subdirectory(ieee802_11_radio)
add_subdirectory(fddi)
add_subdirectory(nflog)
add_subdirectory(mpls)
add_subdirectory(linux_sll)
add_subdirectory(arp)
add_subdirectory(ipv4)
add_subdirectory(ipv6)

4
src/packet_analysis/protocol/arp/ARP.cc
View file

@ -9,11 +9,11 @@ ARPAnalyzer::ARPAnalyzer()
{
}
zeek::packet_analysis::AnalysisResultTuple ARPAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
zeek::packet_analysis::AnalyzerResult ARPAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
{
// TODO: Make ARP analyzer a native packet analyzer
packet->l3_proto = L3_ARP;
// Leave packet analyzer land
return { AnalyzerResult::Terminate, 0 };
return AnalyzerResult::Terminate;
}

2
src/packet_analysis/protocol/arp/ARP.h
View file

@ -12,7 +12,7 @@ public:
ARPAnalyzer();
~ARPAnalyzer() override = default;
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{

6
src/packet_analysis/protocol/fddi/FDDI.cc
View file

@ -10,17 +10,17 @@ FDDIAnalyzer::FDDIAnalyzer()
{
}
zeek::packet_analysis::AnalysisResultTuple FDDIAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
zeek::packet_analysis::AnalyzerResult FDDIAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
{
auto hdr_size = 13 + 8; // FDDI header + LLC
if ( data + hdr_size >= packet->GetEndOfData() )
{
packet->Weird("FDDI_analyzer_failed");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
// We just skip the header and hope for default analysis
data += hdr_size;
return { AnalyzerResult::Continue, -1 };
return AnalyzeInnerPacket(packet, data);
}

2
src/packet_analysis/protocol/fddi/FDDI.h
View file

@ -12,7 +12,7 @@ public:
FDDIAnalyzer();
~FDDIAnalyzer() override = default;
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{

18
src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
View file

@ -10,7 +10,7 @@ IEEE802_11Analyzer::IEEE802_11Analyzer()
{
}
zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* packet, const uint8_t*& data)
zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::Analyze(Packet* packet, const uint8_t*& data)
{
auto end_of_data = packet->GetEndOfData();
@ -19,18 +19,18 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p
if ( data + len_80211 >= end_of_data )
{
packet->Weird("truncated_802_11_header");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
u_char fc_80211 = data[0]; // Frame Control field
// Skip non-data frame types (management & control).
if ( ! ((fc_80211 >> 2) & 0x02) )
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
// Skip subtypes without data.
if ( (fc_80211 >> 4) & 0x04 )
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
// 'To DS' and 'From DS' flags set indicate use of the 4th
// address field.
@ -43,7 +43,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p
// Skip in case of A-MSDU subframes indicated by QoS
// control field.
if ( data[len_80211] & 0x80 )
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
len_80211 += 2;
}
@ -51,7 +51,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p
if ( data + len_80211 >= end_of_data )
{
packet->Weird("truncated_802_11_header");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
// Determine link-layer addresses based
@ -85,7 +85,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p
if ( data + 8 >= end_of_data )
{
packet->Weird("truncated_802_11_header");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
// Check that the DSAP and SSAP are both SNAP and that the control
@ -102,11 +102,11 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p
// If this is a logical link control frame without the
// possibility of having a protocol we care about, we'll
// just skip it for now.
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
uint32_t protocol = (data[0] << 8) + data[1];
data += 2;
return { AnalyzerResult::Continue, protocol };
return AnalyzeInnerPacket(packet, data, protocol);
}

2
src/packet_analysis/protocol/ieee802_11/IEEE802_11.h
View file

@ -12,7 +12,7 @@ public:
IEEE802_11Analyzer();
~IEEE802_11Analyzer() override = default;
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{

8
src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc
View file

@ -12,14 +12,14 @@ IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer()
{
}
zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
{
auto end_of_data = packet->GetEndOfData();
if ( data + 3 >= end_of_data )
{
packet->Weird("truncated_radiotap_header");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
// Skip over the RadioTap header
@ -28,10 +28,10 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Pac
if ( data + rtheader_len >= end_of_data )
{
packet->Weird("truncated_radiotap_header");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
data += rtheader_len;
return { AnalyzerResult::Continue, DLT_IEEE802_11 };
return AnalyzeInnerPacket(packet, data, DLT_IEEE802_11);
}

2
src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h
View file

@ -12,7 +12,7 @@ public:
IEEE802_11_RadioAnalyzer();
~IEEE802_11_RadioAnalyzer() override = default;
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{

6
src/packet_analysis/protocol/linux_sll/LinuxSLL.cc
View file

@ -9,12 +9,12 @@ LinuxSLLAnalyzer::LinuxSLLAnalyzer()
{
}
zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
zeek::packet_analysis::AnalyzerResult LinuxSLLAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
{
if ( data + sizeof(SLLHeader) >= packet->GetEndOfData() )
{
packet->Weird("truncated_Linux_SLL_header");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
//TODO: Handle different ARPHRD_types
@ -28,5 +28,5 @@ zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* pac
packet->l2_dst = Packet::L2_EMPTY_ADDR;
data += sizeof(SLLHeader);
return { AnalyzerResult::Continue, protocol };
return AnalyzeInnerPacket(packet, data, protocol);
}

2
src/packet_analysis/protocol/linux_sll/LinuxSLL.h
View file

@ -12,7 +12,7 @@ public:
LinuxSLLAnalyzer();
~LinuxSLLAnalyzer() override = default;
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{

10
src/packet_analysis/protocol/mpls/MPLS.cc
View file

@ -9,7 +9,7 @@ MPLSAnalyzer::MPLSAnalyzer()
{
}
zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
{
auto end_of_data = packet->GetEndOfData();
@ -21,7 +21,7 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet,
if ( data + 4 >= end_of_data )
{
packet->Weird("truncated_link_header");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
end_of_stack = *(data + 2u) & 0x01;
@ -33,7 +33,7 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet,
if ( data + sizeof(struct ip) >= end_of_data )
{
packet->Weird("no_ip_in_mpls_payload");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
auto ip = (const struct ip*)data;
@ -46,9 +46,9 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet,
{
// Neither IPv4 nor IPv6.
packet->Weird("no_ip_in_mpls_payload");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
packet->hdr_size = (data - packet->data);
return { AnalyzerResult::Terminate, 0 };
return AnalyzerResult::Terminate;
}

2
src/packet_analysis/protocol/mpls/MPLS.h
View file

@ -12,7 +12,7 @@ public:
MPLSAnalyzer();
~MPLSAnalyzer() override = default;
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{

10
src/packet_analysis/protocol/nflog/NFLog.cc
View file

@ -10,7 +10,7 @@ NFLogAnalyzer::NFLogAnalyzer()
{
}
zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet, const uint8_t*& data) {
zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::Analyze(Packet* packet, const uint8_t*& data) {
auto end_of_data = packet->GetEndOfData();
// See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html
@ -20,7 +20,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet
if ( version != 0 )
{
packet->Weird("unknown_nflog_version");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
// Skip to TLVs.
@ -34,7 +34,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet
if ( data + 4 >= end_of_data )
{
packet->Weird("nflog_no_pcap_payload");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
// TLV Type and Length values are specified in host byte order
@ -61,7 +61,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet
if ( tlv_len < 4 )
{
packet->Weird("nflog_bad_tlv_len");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
else
{
@ -75,5 +75,5 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet
}
}
return { AnalyzerResult::Continue, protocol };
return AnalyzeInnerPacket(packet, data, protocol);
}

2
src/packet_analysis/protocol/nflog/NFLog.h
View file

@ -12,7 +12,7 @@ public:
NFLogAnalyzer();
~NFLogAnalyzer() override = default;
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
static AnalyzerPtr Instantiate()
{

6
src/packet_analysis/protocol/null/Null.cc
View file

@ -10,16 +10,16 @@ NullAnalyzer::NullAnalyzer()
{
}
zeek::packet_analysis::AnalysisResultTuple NullAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
zeek::packet_analysis::AnalyzerResult NullAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
{
if ( data + 4 >= packet->GetEndOfData() )
{
packet->Weird("null_analyzer_failed");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
uint32_t protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0];
data += 4; // skip link header
return { AnalyzerResult::Continue, protocol };
return AnalyzeInnerPacket(packet, data, protocol);
}

2
src/packet_analysis/protocol/null/Null.h
View file

@ -12,7 +12,7 @@ public:
NullAnalyzer();
~NullAnalyzer() override = default;
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{

4
src/packet_analysis/protocol/ppp_serial/PPPSerial.cc
View file

@ -10,11 +10,11 @@ PPPSerialAnalyzer::PPPSerialAnalyzer()
{
}
zeek::packet_analysis::AnalysisResultTuple PPPSerialAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
zeek::packet_analysis::AnalyzerResult PPPSerialAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
{
// Extract protocol identifier
uint32_t protocol = (data[2] << 8) + data[3];
data += 4; // skip link header
return { AnalyzerResult::Continue, protocol };
return AnalyzeInnerPacket(packet, data, protocol);
}

2
src/packet_analysis/protocol/ppp_serial/PPPSerial.h
View file

@ -12,7 +12,7 @@ public:
PPPSerialAnalyzer();
~PPPSerialAnalyzer() override = default;
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{

6
src/packet_analysis/protocol/pppoe/PPPoE.cc
View file

@ -10,17 +10,17 @@ PPPoEAnalyzer::PPPoEAnalyzer()
{
}
zeek::packet_analysis::AnalysisResultTuple PPPoEAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
zeek::packet_analysis::AnalyzerResult PPPoEAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
{
if ( data + 8 >= packet->GetEndOfData() )
{
packet->Weird("truncated_pppoe_header");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
// Extract protocol identifier
uint32_t protocol = (data[6] << 8u) + data[7];
data += 8; // Skip the PPPoE session and PPP header
return { AnalyzerResult::Continue, protocol };
return AnalyzeInnerPacket(packet, data, protocol);
}

2
src/packet_analysis/protocol/pppoe/PPPoE.h
View file

@ -12,7 +12,7 @@ public:
PPPoEAnalyzer();
~PPPoEAnalyzer() override = default;
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{

6
src/packet_analysis/protocol/vlan/VLAN.cc
View file

@ -10,12 +10,12 @@ VLANAnalyzer::VLANAnalyzer()
{
}
zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
zeek::packet_analysis::AnalyzerResult VLANAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
{
if ( data + 4 >= packet->GetEndOfData() )
{
packet->Weird("truncated_VLAN_header");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan;
@ -25,5 +25,5 @@ zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet,
packet->eth_type = protocol;
data += 4; // Skip the VLAN header
return { AnalyzerResult::Continue, protocol };
return AnalyzeInnerPacket(packet, data, protocol);
}

2
src/packet_analysis/protocol/vlan/VLAN.h
View file

@ -12,7 +12,7 @@ public:
VLANAnalyzer();
~VLANAnalyzer() override = default;
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{

20
src/packet_analysis/protocol/wrapper/Wrapper.cc
View file

@ -10,7 +10,7 @@ WrapperAnalyzer::WrapperAnalyzer()
{
}
zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
{
// Unfortunately some packets on the link might have MPLS labels
// while others don't. That means we need to ask the link-layer if
@ -27,7 +27,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
if ( data + cfplen + 14 >= end_of_data )
{
packet->Weird("truncated_link_header_cfp");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
data += cfplen;
@ -57,7 +57,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
if ( data + 4 >= end_of_data )
{
packet->Weird("truncated_link_header");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan;
@ -75,7 +75,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
if ( data + 8 >= end_of_data )
{
packet->Weird("truncated_link_header");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
protocol = (data[6] << 8u) + data[7];
@ -89,7 +89,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
{
// Neither IPv4 nor IPv6.
packet->Weird("non_ip_packet_in_pppoe_encapsulation");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
}
break;
@ -113,7 +113,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
{
// Neither IPv4 nor IPv6.
packet->Weird("non_ip_packet_in_ethernet");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
}
@ -127,7 +127,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
if ( data + 4 >= end_of_data )
{
packet->Weird("truncated_link_header");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
end_of_stack = *(data + 2u) & 0x01;
@ -138,7 +138,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
if ( data + sizeof(struct ip) >= end_of_data )
{
packet->Weird("no_ip_in_mpls_payload");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
const struct ip* ip = (const struct ip*)data;
@ -151,12 +151,12 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
{
// Neither IPv4 nor IPv6.
packet->Weird("no_ip_in_mpls_payload");
return { AnalyzerResult::Failed, 0 };
return AnalyzerResult::Failed;
}
}
// Calculate how much header we've used up.
packet->hdr_size = (data - packet->data);
return { AnalyzerResult::Continue, protocol };
return AnalyzeInnerPacket(packet, data, protocol);
}

2
src/packet_analysis/protocol/wrapper/Wrapper.h
View file

@ -12,7 +12,7 @@ public:
WrapperAnalyzer();
~WrapperAnalyzer() override = default;
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{