Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Remove unused wrapper packet analyzer

Browse source 
This is a leftover from the migration to the packet analysis framework.
The analyzer wrapped the original packet analysis code for comparison.
This commit is contained in:
Jan Grashoefer 2024-08-16 16:49:12 +02:00
parent ec1088c3ef
commit 64bc852fbe
4 changed files with 0 additions and 181 deletions
Download patch file Download diff file Expand all files Collapse all files

1
src/packet_analysis/protocol/wrapper/CMakeLists.txt
View file

@ -1 +0,0 @@
zeek_add_plugin(Zeek Wrapper SOURCES Wrapper.cc Plugin.cc)

25
src/packet_analysis/protocol/wrapper/Plugin.cc
View file

@ -1,25 +0,0 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/wrapper/Wrapper.h"
namespace zeek::plugin::Zeek_Wrapper {
class Plugin final : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override {
AddComponent(
new zeek::packet_analysis::Component("Wrapper",
zeek::packet_analysis::Wrapper::WrapperAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Wrapper";
config.description = "A wrapper for the original zeek code.";
return config;
}
} plugin;
} // namespace zeek::plugin::Zeek_Wrapper

135
src/packet_analysis/protocol/wrapper/Wrapper.cc
View file

@ -1,135 +0,0 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/packet_analysis/protocol/wrapper/Wrapper.h"
using namespace zeek::packet_analysis::Wrapper;
WrapperAnalyzer::WrapperAnalyzer() : zeek::packet_analysis::Analyzer("Wrapper") {}
bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) {
// Unfortunately some packets on the link might have MPLS labels
// while others don't. That means we need to ask the link-layer if
// labels are in place.
bool have_mpls = false;
auto end_of_data = packet->GetEndOfData();
// Skip past Cisco FabricPath to encapsulated ethernet frame.
if ( data[12] == 0x89 && data[13] == 0x03 ) {
auto constexpr cfplen = 16;
if ( data + cfplen + 14 >= end_of_data ) {
Weird("truncated_link_header_cfp", packet);
return false;
}
data += cfplen;
}
// Extract protocol identifier
uint32_t protocol = (data[12] << 8u) + data[13];
packet->eth_type = protocol;
packet->l2_dst = data;
packet->l2_src = data + 6;
data += 14;
bool saw_vlan = false;
while ( protocol == 0x8100 || protocol == 0x9100 || protocol == 0x8864 ) {
switch ( protocol ) {
// VLAN carried over the ethernet frame.
// 802.1q / 802.1ad
case 0x8100:
case 0x9100: {
if ( data + 4 >= end_of_data ) {
Weird("truncated_link_header", packet);
return false;
}
auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan;
vlan_ref = ((data[0] << 8u) + data[1]) & 0xfff;
protocol = ((data[2] << 8u) + data[3]);
data += 4; // Skip the vlan header
saw_vlan = true;
packet->eth_type = protocol;
} break;
// PPPoE carried over the ethernet frame.
case 0x8864: {
if ( data + 8 >= end_of_data ) {
Weird("truncated_link_header", packet);
return false;
}
protocol = (data[6] << 8u) + data[7];
data += 8; // Skip the PPPoE session and PPP header
if ( protocol == 0x0021 )
packet->l3_proto = L3_IPV4;
else if ( protocol == 0x0057 )
packet->l3_proto = L3_IPV6;
else {
// Neither IPv4 nor IPv6.
Weird("non_ip_packet_in_pppoe_encapsulation", packet);
return false;
}
} break;
}
}
// Check for MPLS in VLAN.
if ( protocol == 0x8847 )
have_mpls = true;
// Normal path to determine Layer 3 protocol.
if ( ! have_mpls && packet->l3_proto == L3_UNKNOWN ) {
if ( protocol == 0x800 )
packet->l3_proto = L3_IPV4;
else if ( protocol == 0x86dd )
packet->l3_proto = L3_IPV6;
else if ( protocol == 0x0806 || protocol == 0x8035 )
packet->l3_proto = L3_ARP;
else {
// Neither IPv4 nor IPv6.
Weird("non_ip_packet_in_ethernet", packet);
return false;
}
}
if ( have_mpls ) {
// Skip the MPLS label stack.
bool end_of_stack = false;
while ( ! end_of_stack ) {
if ( data + 4 >= end_of_data ) {
Weird("truncated_link_header", packet);
return false;
}
end_of_stack = *(data + 2u) & 0x01;
data += 4;
}
// We assume that what remains is IP
if ( data + sizeof(struct ip) >= end_of_data ) {
Weird("no_ip_in_mpls_payload", packet);
return false;
}
const struct ip* ip = (const struct ip*)data;
if ( ip->ip_v == 4 )
packet->l3_proto = L3_IPV4;
else if ( ip->ip_v == 6 )
packet->l3_proto = L3_IPV6;
else {
// Neither IPv4 nor IPv6.
Weird("no_ip_in_mpls_payload", packet);
return false;
}
}
return AnalyzeInnerPacket(packet, data, protocol);
}

20
src/packet_analysis/protocol/wrapper/Wrapper.h
View file

@ -1,20 +0,0 @@
// See the file "COPYING" in the main distribution directory for copyright.
#pragma once
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::Wrapper {
class WrapperAnalyzer : public Analyzer {
public:
WrapperAnalyzer();
~WrapperAnalyzer() override = default;
bool Analyze(Packet* packet, const uint8_t*& data) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate() { return std::make_shared<WrapperAnalyzer>(); }
};
} // namespace zeek::packet_analysis::Wrapper