mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Migrate all packet analyzers to new API.
This commit is contained in:
Jan Grashoefer
Tim Wojtulewicz
parent
cbdaa53f85
commit
6365fa6d80
34 changed files with 135 additions and 105 deletions
|
|
@ -1,11 +1,11 @@
|
|||
@load base/packet-protocols/default
|
||||
@load base/packet-protocols/ethernet
|
||||
#@load base/packet-protocols/fddi
|
||||
#@load base/packet-protocols/ieee802_11
|
||||
#@load base/packet-protocols/ieee802_11_radio
|
||||
#@load base/packet-protocols/linux_sll
|
||||
#@load base/packet-protocols/nflog
|
||||
#@load base/packet-protocols/null
|
||||
#@load base/packet-protocols/ppp_serial
|
||||
#@load base/packet-protocols/pppoe
|
||||
#@load base/packet-protocols/vlan
|
||||
@load base/packet-protocols/fddi
|
||||
@load base/packet-protocols/ieee802_11
|
||||
@load base/packet-protocols/ieee802_11_radio
|
||||
@load base/packet-protocols/linux_sll
|
||||
@load base/packet-protocols/nflog
|
||||
@load base/packet-protocols/null
|
||||
@load base/packet-protocols/ppp_serial
|
||||
@load base/packet-protocols/pppoe
|
||||
@load base/packet-protocols/vlan
|
||||
|
|
|
|||
|
|
@ -1,21 +1,26 @@
|
|||
module PacketAnalyzer::Ethernet;
|
||||
|
||||
export {
|
||||
## IEEE 802.2 SNAP analyzer
|
||||
const snap_analyzer: PacketAnalyzer::Tag &redef;
|
||||
## Novell raw IEEE 802.3 analyzer
|
||||
const novell_raw_analyzer: PacketAnalyzer::Tag &redef;
|
||||
## IEEE 802.2 LLC analyzer
|
||||
const llc_analyzer: PacketAnalyzer::Tag &redef;
|
||||
}
|
||||
|
||||
const DLT_EN10MB : count = 1;
|
||||
|
||||
redef PacketAnalyzer::config_map += {
|
||||
PacketAnalyzer::ConfigEntry($identifier=DLT_EN10MB, $analyzer=PacketAnalyzer::ANALYZER_ETHERNET),
|
||||
#PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS),
|
||||
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS),
|
||||
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
|
||||
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6),
|
||||
#PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP),
|
||||
#PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP),
|
||||
#PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN),
|
||||
#PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN),
|
||||
#PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN),
|
||||
#PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE),
|
||||
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP),
|
||||
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP),
|
||||
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN),
|
||||
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN),
|
||||
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN),
|
||||
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE),
|
||||
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER)
|
||||
};
|
||||
|
||||
const snap_analyzer: PacketAnalyzer::Tag &redef;
|
||||
const novell_raw_analyzer: PacketAnalyzer::Tag &redef;
|
||||
const llc_analyzer: PacketAnalyzer::Tag &redef;
|
||||
|
|
|
|||
|
|
@ -3,5 +3,6 @@ module LL_FDDI;
|
|||
const DLT_FDDI : count = 10;
|
||||
|
||||
redef PacketAnalyzer::config_map += {
|
||||
PacketAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI)
|
||||
PacketAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI),
|
||||
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_FDDI, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER)
|
||||
};
|
||||
|
|
|
|||
|
|
@ -76,4 +76,15 @@ AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet,
|
|||
return inner_analyzer->Analyze(packet, data);
|
||||
}
|
||||
|
||||
AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet, const uint8_t*& data) const
|
||||
{
|
||||
if ( default_analyzer )
|
||||
return default_analyzer->Analyze(packet, data);
|
||||
|
||||
DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.",
|
||||
GetAnalyzerName());
|
||||
packet->Weird("no_suitable_analyzer_found");
|
||||
return AnalyzerResult::Terminate;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -125,6 +125,17 @@ protected:
|
|||
virtual AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data,
|
||||
uint32_t identifier) const;
|
||||
|
||||
/**
|
||||
* Triggers default analysis of the encapsulated packet if the default analyzer
|
||||
* is set.
|
||||
*
|
||||
* @param packet The packet to analyze.
|
||||
* @param data Reference to the payload pointer into the raw packet.
|
||||
*
|
||||
* @return The outcome of the analysis.
|
||||
*/
|
||||
AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data) const;
|
||||
|
||||
private:
|
||||
Tag tag;
|
||||
Dispatcher dispatcher;
|
||||
|
|
|
|||
|
|
@ -1,18 +1,18 @@
|
|||
add_subdirectory(default)
|
||||
|
||||
#add_subdirectory(wrapper)
|
||||
#add_subdirectory(null)
|
||||
add_subdirectory(wrapper)
|
||||
add_subdirectory(null)
|
||||
add_subdirectory(ethernet)
|
||||
#add_subdirectory(vlan)
|
||||
#add_subdirectory(pppoe)
|
||||
#add_subdirectory(ppp_serial)
|
||||
#add_subdirectory(ieee802_11)
|
||||
#add_subdirectory(ieee802_11_radio)
|
||||
#add_subdirectory(fddi)
|
||||
#add_subdirectory(nflog)
|
||||
#add_subdirectory(mpls)
|
||||
#add_subdirectory(linux_sll)
|
||||
#
|
||||
#add_subdirectory(arp)
|
||||
add_subdirectory(vlan)
|
||||
add_subdirectory(pppoe)
|
||||
add_subdirectory(ppp_serial)
|
||||
add_subdirectory(ieee802_11)
|
||||
add_subdirectory(ieee802_11_radio)
|
||||
add_subdirectory(fddi)
|
||||
add_subdirectory(nflog)
|
||||
add_subdirectory(mpls)
|
||||
add_subdirectory(linux_sll)
|
||||
|
||||
add_subdirectory(arp)
|
||||
add_subdirectory(ipv4)
|
||||
add_subdirectory(ipv6)
|
||||
|
|
|
|||
|
|
@ -9,11 +9,11 @@ ARPAnalyzer::ARPAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalysisResultTuple ARPAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
zeek::packet_analysis::AnalyzerResult ARPAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
// TODO: Make ARP analyzer a native packet analyzer
|
||||
packet->l3_proto = L3_ARP;
|
||||
|
||||
// Leave packet analyzer land
|
||||
return { AnalyzerResult::Terminate, 0 };
|
||||
return AnalyzerResult::Terminate;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
ARPAnalyzer();
|
||||
~ARPAnalyzer() override = default;
|
||||
|
||||
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,17 +10,17 @@ FDDIAnalyzer::FDDIAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalysisResultTuple FDDIAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
zeek::packet_analysis::AnalyzerResult FDDIAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
auto hdr_size = 13 + 8; // FDDI header + LLC
|
||||
|
||||
if ( data + hdr_size >= packet->GetEndOfData() )
|
||||
{
|
||||
packet->Weird("FDDI_analyzer_failed");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
// We just skip the header and hope for default analysis
|
||||
data += hdr_size;
|
||||
return { AnalyzerResult::Continue, -1 };
|
||||
return AnalyzeInnerPacket(packet, data);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
FDDIAnalyzer();
|
||||
~FDDIAnalyzer() override = default;
|
||||
|
||||
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ IEEE802_11Analyzer::IEEE802_11Analyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
auto end_of_data = packet->GetEndOfData();
|
||||
|
||||
|
|
@ -19,18 +19,18 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p
|
|||
if ( data + len_80211 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_802_11_header");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
u_char fc_80211 = data[0]; // Frame Control field
|
||||
|
||||
// Skip non-data frame types (management & control).
|
||||
if ( ! ((fc_80211 >> 2) & 0x02) )
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
|
||||
// Skip subtypes without data.
|
||||
if ( (fc_80211 >> 4) & 0x04 )
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
|
||||
// 'To DS' and 'From DS' flags set indicate use of the 4th
|
||||
// address field.
|
||||
|
|
@ -43,7 +43,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p
|
|||
// Skip in case of A-MSDU subframes indicated by QoS
|
||||
// control field.
|
||||
if ( data[len_80211] & 0x80 )
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
|
||||
len_80211 += 2;
|
||||
}
|
||||
|
|
@ -51,7 +51,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p
|
|||
if ( data + len_80211 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_802_11_header");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
// Determine link-layer addresses based
|
||||
|
|
@ -85,7 +85,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p
|
|||
if ( data + 8 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_802_11_header");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
// Check that the DSAP and SSAP are both SNAP and that the control
|
||||
|
|
@ -102,11 +102,11 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p
|
|||
// If this is a logical link control frame without the
|
||||
// possibility of having a protocol we care about, we'll
|
||||
// just skip it for now.
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
uint32_t protocol = (data[0] << 8) + data[1];
|
||||
data += 2;
|
||||
|
||||
return { AnalyzerResult::Continue, protocol };
|
||||
return AnalyzeInnerPacket(packet, data, protocol);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
IEEE802_11Analyzer();
|
||||
~IEEE802_11Analyzer() override = default;
|
||||
|
||||
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -12,14 +12,14 @@ IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
auto end_of_data = packet->GetEndOfData();
|
||||
|
||||
if ( data + 3 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_radiotap_header");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
// Skip over the RadioTap header
|
||||
|
|
@ -28,10 +28,10 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Pac
|
|||
if ( data + rtheader_len >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_radiotap_header");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
data += rtheader_len;
|
||||
|
||||
return { AnalyzerResult::Continue, DLT_IEEE802_11 };
|
||||
return AnalyzeInnerPacket(packet, data, DLT_IEEE802_11);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
IEEE802_11_RadioAnalyzer();
|
||||
~IEEE802_11_RadioAnalyzer() override = default;
|
||||
|
||||
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -9,12 +9,12 @@ LinuxSLLAnalyzer::LinuxSLLAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
zeek::packet_analysis::AnalyzerResult LinuxSLLAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
if ( data + sizeof(SLLHeader) >= packet->GetEndOfData() )
|
||||
{
|
||||
packet->Weird("truncated_Linux_SLL_header");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
//TODO: Handle different ARPHRD_types
|
||||
|
|
@ -28,5 +28,5 @@ zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* pac
|
|||
packet->l2_dst = Packet::L2_EMPTY_ADDR;
|
||||
|
||||
data += sizeof(SLLHeader);
|
||||
return { AnalyzerResult::Continue, protocol };
|
||||
return AnalyzeInnerPacket(packet, data, protocol);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
LinuxSLLAnalyzer();
|
||||
~LinuxSLLAnalyzer() override = default;
|
||||
|
||||
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ MPLSAnalyzer::MPLSAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
auto end_of_data = packet->GetEndOfData();
|
||||
|
||||
|
|
@ -21,7 +21,7 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet,
|
|||
if ( data + 4 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_link_header");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
end_of_stack = *(data + 2u) & 0x01;
|
||||
|
|
@ -33,7 +33,7 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet,
|
|||
if ( data + sizeof(struct ip) >= end_of_data )
|
||||
{
|
||||
packet->Weird("no_ip_in_mpls_payload");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
auto ip = (const struct ip*)data;
|
||||
|
|
@ -46,9 +46,9 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet,
|
|||
{
|
||||
// Neither IPv4 nor IPv6.
|
||||
packet->Weird("no_ip_in_mpls_payload");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
packet->hdr_size = (data - packet->data);
|
||||
return { AnalyzerResult::Terminate, 0 };
|
||||
return AnalyzerResult::Terminate;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
MPLSAnalyzer();
|
||||
~MPLSAnalyzer() override = default;
|
||||
|
||||
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ NFLogAnalyzer::NFLogAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet, const uint8_t*& data) {
|
||||
zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::Analyze(Packet* packet, const uint8_t*& data) {
|
||||
auto end_of_data = packet->GetEndOfData();
|
||||
|
||||
// See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html
|
||||
|
|
@ -20,7 +20,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet
|
|||
if ( version != 0 )
|
||||
{
|
||||
packet->Weird("unknown_nflog_version");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
// Skip to TLVs.
|
||||
|
|
@ -34,7 +34,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet
|
|||
if ( data + 4 >= end_of_data )
|
||||
{
|
||||
packet->Weird("nflog_no_pcap_payload");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
// TLV Type and Length values are specified in host byte order
|
||||
|
|
@ -61,7 +61,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet
|
|||
if ( tlv_len < 4 )
|
||||
{
|
||||
packet->Weird("nflog_bad_tlv_len");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
@ -75,5 +75,5 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet
|
|||
}
|
||||
}
|
||||
|
||||
return { AnalyzerResult::Continue, protocol };
|
||||
return AnalyzeInnerPacket(packet, data, protocol);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
NFLogAnalyzer();
|
||||
~NFLogAnalyzer() override = default;
|
||||
|
||||
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,16 +10,16 @@ NullAnalyzer::NullAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalysisResultTuple NullAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
zeek::packet_analysis::AnalyzerResult NullAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
if ( data + 4 >= packet->GetEndOfData() )
|
||||
{
|
||||
packet->Weird("null_analyzer_failed");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
uint32_t protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0];
|
||||
data += 4; // skip link header
|
||||
|
||||
return { AnalyzerResult::Continue, protocol };
|
||||
return AnalyzeInnerPacket(packet, data, protocol);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
NullAnalyzer();
|
||||
~NullAnalyzer() override = default;
|
||||
|
||||
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,11 +10,11 @@ PPPSerialAnalyzer::PPPSerialAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalysisResultTuple PPPSerialAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
zeek::packet_analysis::AnalyzerResult PPPSerialAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
// Extract protocol identifier
|
||||
uint32_t protocol = (data[2] << 8) + data[3];
|
||||
data += 4; // skip link header
|
||||
|
||||
return { AnalyzerResult::Continue, protocol };
|
||||
return AnalyzeInnerPacket(packet, data, protocol);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
PPPSerialAnalyzer();
|
||||
~PPPSerialAnalyzer() override = default;
|
||||
|
||||
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,17 +10,17 @@ PPPoEAnalyzer::PPPoEAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalysisResultTuple PPPoEAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
zeek::packet_analysis::AnalyzerResult PPPoEAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
if ( data + 8 >= packet->GetEndOfData() )
|
||||
{
|
||||
packet->Weird("truncated_pppoe_header");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
// Extract protocol identifier
|
||||
uint32_t protocol = (data[6] << 8u) + data[7];
|
||||
data += 8; // Skip the PPPoE session and PPP header
|
||||
|
||||
return { AnalyzerResult::Continue, protocol };
|
||||
return AnalyzeInnerPacket(packet, data, protocol);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
PPPoEAnalyzer();
|
||||
~PPPoEAnalyzer() override = default;
|
||||
|
||||
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,12 +10,12 @@ VLANAnalyzer::VLANAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
zeek::packet_analysis::AnalyzerResult VLANAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
if ( data + 4 >= packet->GetEndOfData() )
|
||||
{
|
||||
packet->Weird("truncated_VLAN_header");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan;
|
||||
|
|
@ -25,5 +25,5 @@ zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet,
|
|||
packet->eth_type = protocol;
|
||||
data += 4; // Skip the VLAN header
|
||||
|
||||
return { AnalyzerResult::Continue, protocol };
|
||||
return AnalyzeInnerPacket(packet, data, protocol);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
VLANAnalyzer();
|
||||
~VLANAnalyzer() override = default;
|
||||
|
||||
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ WrapperAnalyzer::WrapperAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
// Unfortunately some packets on the link might have MPLS labels
|
||||
// while others don't. That means we need to ask the link-layer if
|
||||
|
|
@ -27,7 +27,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
|
|||
if ( data + cfplen + 14 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_link_header_cfp");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
data += cfplen;
|
||||
|
|
@ -57,7 +57,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
|
|||
if ( data + 4 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_link_header");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan;
|
||||
|
|
@ -75,7 +75,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
|
|||
if ( data + 8 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_link_header");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
protocol = (data[6] << 8u) + data[7];
|
||||
|
|
@ -89,7 +89,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
|
|||
{
|
||||
// Neither IPv4 nor IPv6.
|
||||
packet->Weird("non_ip_packet_in_pppoe_encapsulation");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
|
@ -113,7 +113,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
|
|||
{
|
||||
// Neither IPv4 nor IPv6.
|
||||
packet->Weird("non_ip_packet_in_ethernet");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -127,7 +127,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
|
|||
if ( data + 4 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_link_header");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
end_of_stack = *(data + 2u) & 0x01;
|
||||
|
|
@ -138,7 +138,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
|
|||
if ( data + sizeof(struct ip) >= end_of_data )
|
||||
{
|
||||
packet->Weird("no_ip_in_mpls_payload");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
const struct ip* ip = (const struct ip*)data;
|
||||
|
|
@ -151,12 +151,12 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack
|
|||
{
|
||||
// Neither IPv4 nor IPv6.
|
||||
packet->Weird("no_ip_in_mpls_payload");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
}
|
||||
|
||||
// Calculate how much header we've used up.
|
||||
packet->hdr_size = (data - packet->data);
|
||||
|
||||
return { AnalyzerResult::Continue, protocol };
|
||||
return AnalyzeInnerPacket(packet, data, protocol);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
WrapperAnalyzer();
|
||||
~WrapperAnalyzer() override = default;
|
||||
|
||||
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -1,15 +1,18 @@
|
|||
[l2=[encap=LINK_ETHERNET, len=215, cap_len=215, src=e8:de:27:ff:c0:78, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=201, id=0, ttl=64, p=17, src=192.168.1.1, dst=255.255.255.255], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=40190/udp, dport=7437/udp, ulen=181], icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=68, cap_len=68, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=54, id=52261, ttl=64, p=6, src=192.168.1.103, dst=64.4.23.176], ip6=<uninitialized>, tcp=[sport=65493/tcp, dport=40031/tcp, seq=2642773190, ack=2891276360, hl=32, dl=2, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=38, proto=L3_UNKNOWN], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=32575, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=65170/udp, dport=53/udp, ulen=44], icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=55466, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=53129/udp, dport=53/udp, ulen=44], icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=92, cap_len=92, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=78, id=32240, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=53129/udp, dport=53/udp, ulen=58], icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=85, cap_len=85, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=71, id=53895, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=57932/udp, dport=53/udp, ulen=51], icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=38, proto=L3_UNKNOWN], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=42, cap_len=42, src=00:50:56:3e:93:6b, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=42, cap_len=42, src=00:50:56:3e:93:6b, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=307, cap_len=307, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=293, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=273], icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=316, cap_len=316, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=302, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=282], icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=379, cap_len=379, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=365, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=345], icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=371, cap_len=371, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=357, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=337], icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=38, proto=L3_UNKNOWN], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=355, cap_len=355, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=341, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=321], icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=42, cap_len=42, src=00:50:56:3e:93:6b, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=387, cap_len=387, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=373, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=353], icmp=<uninitialized>]
|
||||
|
|
@ -27,6 +30,7 @@
|
|||
[l2=[encap=LINK_ETHERNET, len=112, cap_len=112, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=98, id=85, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=<uninitialized>, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176077, ack=445274652, hl=32, dl=46, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=97, cap_len=97, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=83, id=28558, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=<uninitialized>, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176123, ack=445274652, hl=32, dl=31, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=36529, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=<uninitialized>, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176154, ack=445274652, hl=32, dl=0, reserved=0, flags=17, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=38, proto=L3_UNKNOWN], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:19:06:ea:b8:c1, dst=ff:ff:ff:ff:ff:ff, vlan=123, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:18:73:de:57:c1, dst=ff:ff:ff:ff:ff:ff, vlan=123, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
|
||||
[l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:18:73:de:57:c1, dst=ff:ff:ff:ff:ff:ff, vlan=123, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
module Packet_BAR;
|
||||
|
||||
redef PacketAnalyzer::config_map += {
|
||||
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=1501, $analyzer=PacketAnalyzer::ANALYZER_BAR),
|
||||
};
|
||||
redef PacketAnalyzer::Ethernet::llc_analyzer = PacketAnalyzer::ANALYZER_BAR;
|
||||
|
|
@ -10,7 +10,7 @@ Bar::Bar()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet, const uint8_t*& data)
|
||||
zeek::packet_analysis::AnalyzerResult Bar::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
auto end_of_data = packet->GetEndOfData();
|
||||
|
||||
|
|
@ -18,7 +18,7 @@ zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet, const ui
|
|||
if ( data + 17 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_llc_header");
|
||||
return { AnalyzerResult::Failed, 0 };
|
||||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
auto dsap = data[14];
|
||||
|
|
@ -30,5 +30,5 @@ zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet, const ui
|
|||
val_mgr->Count(ssap),
|
||||
val_mgr->Count(control));
|
||||
|
||||
return { AnalyzerResult::Terminate, 0 };
|
||||
return AnalyzerResult::Terminate;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ public:
|
|||
Bar();
|
||||
~Bar() override = default;
|
||||
|
||||
AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue