diff --git a/NEWS b/NEWS index 50e5ddd265..981af20370 100644 --- a/NEWS +++ b/NEWS @@ -94,6 +94,9 @@ Changed Functionality - conn.log gained a new field local_resp that works like local_orig, just for the responder address of the connection. +- GRE tunnels are now identified as ``Tunnel::GRE`` instead of + ``Tunnel::IP``. + - [TODO] Add changed BroControl features. Deprecated Functionality diff --git a/src/Sessions.cc b/src/Sessions.cc index ffc2baf944..086216e93d 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -466,6 +466,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, id.src_addr = ip_hdr->SrcAddr(); id.dst_addr = ip_hdr->DstAddr(); Dictionary* d = 0; + BifEnum::Tunnel::Type tunnel_type = BifEnum::Tunnel::IP; switch ( proto ) { case IPPROTO_TCP: @@ -606,6 +607,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, // Treat GRE tunnel like IP tunnels, fallthrough to logic below now // that GRE header is stripped and only payload packet remains. + // The only thing different is the tunnel type enum value to use. + tunnel_type = BifEnum::Tunnel::GRE; } case IPPROTO_IPV4: @@ -653,7 +656,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, if ( it == ip_tunnels.end() ) { - EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr()); + EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), + tunnel_type); ip_tunnels[tunnel_idx] = TunnelActivity(ec, network_time); timer_mgr->Add(new IPTunnelTimer(network_time, tunnel_idx)); } diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h index 23f8966ee7..419a3000b4 100644 --- a/src/TunnelEncapsulation.h +++ b/src/TunnelEncapsulation.h @@ -37,10 +37,12 @@ public: * * @param s The tunnel source address, likely taken from an IP header. * @param d The tunnel destination address, likely taken from an IP header. + * @param t The type of IP tunnel. */ - EncapsulatingConn(const IPAddr& s, const IPAddr& d) + EncapsulatingConn(const IPAddr& s, const IPAddr& d, + BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP) : src_addr(s), dst_addr(d), src_port(0), dst_port(0), - proto(TRANSPORT_UNKNOWN), type(BifEnum::Tunnel::IP), + proto(TRANSPORT_UNKNOWN), type(t), uid(Bro::UID(bits_per_uid)) { } @@ -85,7 +87,8 @@ public: if ( ec1.type != ec2.type ) return false; - if ( ec1.type == BifEnum::Tunnel::IP ) + if ( ec1.type == BifEnum::Tunnel::IP || + ec1.type == BifEnum::Tunnel::GRE ) // Reversing endpoints is still same tunnel. return ec1.uid == ec2.uid && ec1.proto == ec2.proto && ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || diff --git a/src/types.bif b/src/types.bif index 99df67c9d5..73443a3fd7 100644 --- a/src/types.bif +++ b/src/types.bif @@ -172,6 +172,7 @@ enum Type %{ SOCKS, GTPv1, HTTP, + GRE, %} type EncapsulatingConn: record; diff --git a/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log b/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log index 277d1df679..ad7154d756 100644 --- a/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log +++ b/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log @@ -6,6 +6,6 @@ #open 2014-01-16-21-51-36 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action #types time string addr port addr port enum enum -1341436424.204043 CXWv6p3arKYeMETxOg 72.205.54.70 0 86.106.164.150 0 Tunnel::IP Tunnel::DISCOVER -1341436424.204043 CjhGID4nQcgTWjvg4c 10.10.11.2 0 10.10.13.2 0 Tunnel::IP Tunnel::DISCOVER +1341436424.204043 CXWv6p3arKYeMETxOg 72.205.54.70 0 86.106.164.150 0 Tunnel::GRE Tunnel::DISCOVER +1341436424.204043 CjhGID4nQcgTWjvg4c 10.10.11.2 0 10.10.13.2 0 Tunnel::GRE Tunnel::DISCOVER #close 2014-01-16-21-51-36 diff --git a/testing/btest/Baseline/core.tunnels.gre/tunnel.log b/testing/btest/Baseline/core.tunnels.gre/tunnel.log index f0d87f4964..066e1fe151 100644 --- a/testing/btest/Baseline/core.tunnels.gre/tunnel.log +++ b/testing/btest/Baseline/core.tunnels.gre/tunnel.log @@ -6,5 +6,5 @@ #open 2014-01-16-21-51-12 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action #types time string addr port addr port enum enum -1055289968.793044 CXWv6p3arKYeMETxOg 172.27.1.66 0 66.59.109.137 0 Tunnel::IP Tunnel::DISCOVER +1055289968.793044 CXWv6p3arKYeMETxOg 172.27.1.66 0 66.59.109.137 0 Tunnel::GRE Tunnel::DISCOVER #close 2014-01-16-21-51-12