Merge remote-tracking branch 'origin/topic/jsiwek/vxlan'

* origin/topic/jsiwek/vxlan: GH-250: Improve/cleanup VXLAN decapsulation support Initial VXLAN support, need -C flag to work when running bro
2025-10-02 06:38:20 +00:00 · 2019-03-14 16:14:57 +00:00 · 2019-03-14 16:14:57 +00:00 · 72fa3f16ad
commit 72fa3f16ad
parent 389fe2bc2a 09ae539ea8
28 changed files with 347 additions and 26 deletions
--- a/19
+++ b/19
@ -1,4 +1,23 @@

+2.6-157 | 2019-03-14 16:18:13 +0000
+
+  * GH-250: Add VXLAN decapsulation support (Henrik Lund Kramshoej; Jon Siwek, Corelight)
+
+    Zeek now automatically decapsulates VXLAN traffic on UDP port
+    4789. It will log such sessions as Tunnel::VXLAN in tunnel.log and
+    proceed to analyze the inner payload. Two options allow to tune
+    the analysis:
+
+        * "Tunnel::vxlan_ports" allows to tune the set of VXLAN ports
+          to analyze/decapsulate.
+
+        * "Tunnel::validate_vxlan_checksums" allows for tuning of how
+          checksums associated with the outer UDP header of a possible
+          VXLAN tunnel are handled.
+
+    A new "vxlan_packet" event also provides per-packet access to
+    VXLAN traffic.
+
 2.6-154 | 2019-03-13 17:28:26 -0700

  * Decrease memory usage via deferred list/dict initialization (Justin Azoff, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-2.6-154
+2.6-157
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 671aa15c0d09bf48421ec2f5e83f7778341137a7
+Subproject commit 0d850d3e7de829397e61ea50031d34f099813596
--- a/scripts/base/frameworks/tunnels/main.bro
+++ b/scripts/base/frameworks/tunnels/main.bro
@ -85,7 +85,7 @@ export {
 const ayiya_ports = { 5072/udp };
 const teredo_ports = { 3544/udp };
 const gtpv1_ports = { 2152/udp, 2123/udp };
-redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports };
+redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports };

 event bro_init() &priority=5
 	{
@ -94,6 +94,7 @@ event bro_init() &priority=5
 	Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports);
 	}

 function register_all(ecv: EncapsulatingConnVector)
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -4857,6 +4857,18 @@ export {
 	## How often to cleanup internal state for inactive IP tunnels
 	## (includes GRE tunnels).
 	const ip_tunnel_timeout = 24hrs &redef;
+
+	## Whether to validate the checksum supplied in the outer UDP header
+	## of a VXLAN encapsulation.  The spec says the checksum should be
+	## transmitted as zero, but if not, then the decapsulating destination
+	## may choose whether to perform the validation.
+	const validate_vxlan_checksums = T &redef;
+
+	## The set of UDP ports used for VXLAN traffic.  Traffic using this
+	## UDP destination port will attempt to be decapsulated.  Note that if
+	## if you customize this, you may still want to manually ensure that
+	## :bro:see:`likely_server_ports` also gets populated accordingly.
+	const vxlan_ports: set[port] = { 4789/udp } &redef;
 } # end export

 module Reporter;
--- a/src/TunnelEncapsulation.h
+++ b/src/TunnelEncapsulation.h
@ -94,6 +94,14 @@ public:
 			  ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
 			   (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr));

+		if ( ec1.type == BifEnum::Tunnel::VXLAN )
+			// Reversing endpoints is still same tunnel, destination port is
+			// always the same.
+			return ec1.dst_port == ec2.dst_port &&
+			       ec1.uid == ec2.uid && ec1.proto == ec2.proto &&
+			  ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
+			   (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr));
+
 		return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr &&
 		       ec1.src_port == ec2.src_port && ec1.dst_port == ec2.dst_port &&
 		       ec1.uid == ec2.uid && ec1.proto == ec2.proto;
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@ -96,6 +96,18 @@ void Manager::InitPreScript()

 void Manager::InitPostScript()
 	{
+	auto id = global_scope()->Lookup("Tunnel::vxlan_ports");
+
+	if ( ! (id && id->ID_Val()) )
+		reporter->FatalError("Tunnel::vxlan_ports not defined");
+
+	auto table_val = id->ID_Val()->AsTableVal();
+	auto port_list = table_val->ConvertToPureList();
+
+	for ( auto i = 0; i < port_list->Length(); ++i )
+		vxlan_ports.emplace_back(port_list->Index(i)->AsPortVal()->Port());
+
+	Unref(port_list);
 	}

 void Manager::DumpDebug()
--- a/src/analyzer/Manager.h
+++ b/src/analyzer/Manager.h
@ -22,6 +22,7 @@
 #define ANALYZER_MANAGER_H

 #include <queue>
+#include <vector>

 #include "Analyzer.h"
 #include "Component.h"
@ -335,6 +336,12 @@ public:
 	void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p,
 			      Val* analyzer, double timeout);

+	/**
+	 * @return the UDP port numbers to be associated with VXLAN traffic.
+	 */
+	const std::vector<uint16>& GetVxlanPorts() const
+		{ return vxlan_ports; }
+
 private:
 	typedef set<Tag> tag_set;
 	typedef map<uint32, tag_set*> analyzer_map_by_port;
@ -390,6 +397,7 @@ private:

 	conns_map conns;
 	conns_queue conns_by_timeout;
+	std::vector<uint16> vxlan_ports;
 };

 }
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@ -47,5 +47,6 @@ add_subdirectory(syslog)
 add_subdirectory(tcp)
 add_subdirectory(teredo)
 add_subdirectory(udp)
+add_subdirectory(vxlan)
 add_subdirectory(xmpp)
 add_subdirectory(zip)
--- a/src/analyzer/protocol/udp/UDP.cc
+++ b/src/analyzer/protocol/udp/UDP.cc
@ -7,6 +7,7 @@
 #include "Net.h"
 #include "NetVar.h"
 #include "analyzer/protocol/udp/UDP.h"
+#include "analyzer/Manager.h"
 #include "Reporter.h"
 #include "Conn.h"

@ -61,7 +62,30 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,

 	int chksum = up->uh_sum;

-	if ( ! ignore_checksums && caplen >= len )
+	auto validate_checksum = ! ignore_checksums && caplen >=len;
+	constexpr auto vxlan_len = 8;
+	constexpr auto eth_len = 14;
+
+	if ( validate_checksum &&
+	     len > (sizeof(struct udphdr) + vxlan_len + eth_len) &&
+	     (data[0] & 0x08) == 0x08 )
+		{
+		auto& vxlan_ports = analyzer_mgr->GetVxlanPorts();
+
+		if ( std::find(vxlan_ports.begin(), vxlan_ports.end(),
+		               ntohs(up->uh_dport)) != vxlan_ports.end() )
+			{
+			// Looks like VXLAN on a well-known port, so the checksum should be
+			// transmitted as zero, and we should accept that.  If not
+			// transmitted as zero, then validating the checksum is optional.
+			if ( chksum == 0 )
+				validate_checksum = false;
+			else
+				validate_checksum = BifConst::Tunnel::validate_vxlan_checksums;
+			}
+		}
+
+	if ( validate_checksum )
 		{
 		bool bad = false;

--- a/src/analyzer/protocol/vxlan/CMakeLists.txt
+++ b/src/analyzer/protocol/vxlan/CMakeLists.txt
@ -0,0 +1,9 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro VXLAN)
+bro_plugin_cc(VXLAN.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_end()
--- a/src/analyzer/protocol/vxlan/Plugin.cc
+++ b/src/analyzer/protocol/vxlan/Plugin.cc
@ -0,0 +1,24 @@
+// See the file  in the main distribution directory for copyright.
+
+#include "plugin/Plugin.h"
+
+#include "VXLAN.h"
+
+namespace plugin {
+namespace Bro_VXLAN {
+
+class Plugin : public plugin::Plugin {
+public:
+	plugin::Configuration Configure()
+		{
+		AddComponent(new ::analyzer::Component("VXLAN", ::analyzer::vxlan::VXLAN_Analyzer::Instantiate));
+
+		plugin::Configuration config;
+		config.name = "Bro::VXLAN";
+		config.description = "VXLAN analyzer";
+		return config;
+		}
+} plugin;
+
+}
+}
--- a/src/analyzer/protocol/vxlan/VXLAN.cc
+++ b/src/analyzer/protocol/vxlan/VXLAN.cc
@ -0,0 +1,101 @@
+// See the file  in the main distribution directory for copyright.
+
+#include "VXLAN.h"
+#include "TunnelEncapsulation.h"
+#include "Conn.h"
+#include "IP.h"
+#include "Reporter.h"
+
+#include "events.bif.h"
+
+using namespace analyzer::vxlan;
+
+void VXLAN_Analyzer::Done()
+	{
+	Analyzer::Done();
+	Event(udp_session_done);
+	}
+
+void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
+                                   uint64 seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	// Outer Ethernet, IP, and UDP layers already skipped.
+	// Also, generic UDP analyzer already checked/guarantees caplen >= len.
+
+	constexpr auto vxlan_len = 8;
+
+	if ( len < vxlan_len )
+		{
+		ProtocolViolation("VXLAN header truncation", (const char*) data, len);
+		return;
+		}
+
+	if ( (data[0] & 0x08) == 0 )
+		{
+		ProtocolViolation("VXLAN 'I' flag not set", (const char*) data, len);
+		return;
+		}
+
+	const EncapsulationStack* estack = Conn()->GetEncapsulation();
+
+	if ( estack && estack->Depth() >= BifConst::Tunnel::max_depth )
+		{
+		reporter->Weird(Conn(), "tunnel_depth");
+		return;
+		}
+
+	int vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0);
+
+	data += vxlan_len;
+	caplen -= vxlan_len;
+	len -= vxlan_len;
+
+	pkt_timeval ts;
+	ts.tv_sec = (time_t) current_timestamp;
+	ts.tv_usec = (suseconds_t) ((current_timestamp - (double)ts.tv_sec) * 1000000);
+	Packet pkt(DLT_EN10MB, &ts, caplen, len, data);
+
+	if ( ! pkt.Layer2Valid() )
+		{
+		ProtocolViolation("VXLAN invalid inner ethernet frame",
+		                  (const char*) data, len);
+		return;
+		}
+
+	data += pkt.hdr_size;
+	len -= pkt.hdr_size;
+	caplen -= pkt.hdr_size;
+
+	IP_Hdr* inner = nullptr;
+	int res = 0;
+
+	switch ( pkt.l3_proto ) {
+		case L3_IPV4:
+			res = sessions->ParseIPPacket(len, data, IPPROTO_IPV4, inner);
+			break;
+		case L3_IPV6:
+			res = sessions->ParseIPPacket(len, data, IPPROTO_IPV6, inner);
+			break;
+		default:
+			return;
+	}
+
+	if ( res < 0 )
+		{
+		delete inner;
+		ProtocolViolation("Truncated VXLAN or invalid inner IP",
+		                  (const char*) data, len);
+		return;
+		}
+
+	ProtocolConfirmation();
+
+	if ( vxlan_packet )
+		Conn()->Event(vxlan_packet, 0, inner->BuildPktHdrVal(),
+		              val_mgr->GetCount(vni));
+
+	EncapsulatingConn ec(Conn(), BifEnum::Tunnel::VXLAN);
+	sessions->DoNextInnerPacket(network_time, &pkt, inner, estack, ec);
+	}
--- a/src/analyzer/protocol/vxlan/VXLAN.h
+++ b/src/analyzer/protocol/vxlan/VXLAN.h
@ -0,0 +1,29 @@
+// See the file  in the main distribution directory for copyright.
+
+#ifndef ANALYZER_PROTOCOL_VXLAN_VXLAN_H
+#define ANALYZER_PROTOCOL_VXLAN_VXLAN_H
+
+#include "analyzer/Analyzer.h"
+#include "NetVar.h"
+#include "Reporter.h"
+
+namespace analyzer { namespace vxlan {
+
+class VXLAN_Analyzer : public analyzer::Analyzer {
+public:
+	explicit VXLAN_Analyzer(Connection* conn)
+	    : Analyzer("VXLAN", conn)
+		{}
+
+	void Done() override;
+
+	void DeliverPacket(int len, const u_char* data, bool orig,
+	                   uint64 seq, const IP_Hdr* ip, int caplen) override;
+
+	static analyzer::Analyzer* Instantiate(Connection* conn)
+		{ return new VXLAN_Analyzer(conn); }
+};
+
+} } // namespace analyzer::*
+
+#endif
--- a/src/analyzer/protocol/vxlan/events.bif
+++ b/src/analyzer/protocol/vxlan/events.bif
@ -0,0 +1,12 @@
+## Generated for any packet encapsulated in a VXLAN tunnel.
+## See :rfc:`7348` for more information about the VXLAN protocol.
+##
+## outer: The VXLAN tunnel connection.
+##
+## inner: The VXLAN-encapsulated Ethernet packet header and transport header.
+##
+## vni: VXLAN Network Identifier.
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event vxlan_packet%(outer: connection, inner: pkt_hdr, vni: count%);
--- a/src/const.bif
+++ b/src/const.bif
@ -22,5 +22,6 @@ const Tunnel::enable_gre: bool;
 const Tunnel::delay_teredo_confirmation: bool;
 const Tunnel::delay_gtp_confirmation: bool;
 const Tunnel::ip_tunnel_timeout: interval;
+const Tunnel::validate_vxlan_checksums: bool;

 const Threading::heartbeat_interval: interval;
--- a/src/types.bif
+++ b/src/types.bif
@ -192,6 +192,7 @@ enum Type %{
 	GTPv1,
 	HTTP,
 	GRE,
+	VXLAN,
 %}

 type EncapsulatingConn: record;
--- a/testing/btest/Baseline/core.print-bpf-filters/conn.log
+++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-12-58
+#open	2019-03-12-03-25-14
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1278600802.069419	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	-
-#close	2016-07-13-16-12-59
+#close	2019-03-12-03-25-14
--- a/testing/btest/Baseline/core.print-bpf-filters/output
+++ b/testing/btest/Baseline/core.print-bpf-filters/output
@ -3,28 +3,28 @@
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2016-07-13-16-12-57
+#open	2019-03-12-03-25-12
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1468426377.846975	bro	ip or not ip	T	T
-#close	2016-07-13-16-12-57
+1552361112.763592	bro	ip or not ip	T	T
+#close	2019-03-12-03-25-12
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2016-07-13-16-12-58
+#open	2019-03-12-03-25-13
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1468426378.362651	bro	port 42	T	T
-#close	2016-07-13-16-12-58
+1552361113.442916	bro	port 42	T	T
+#close	2019-03-12-03-25-13
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2016-07-13-16-12-58
+#open	2019-03-12-03-25-14
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1468426378.944945	bro	(vlan) and (ip or not ip)	T	T
-#close	2016-07-13-16-12-59
+1552361114.111534	bro	(vlan) and (ip or not ip)	T	T
+#close	2019-03-12-03-25-14
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@ -21,6 +21,7 @@
 1 4011
 2 443
 1 445
+1 4789
 1 502
 1 5060
 1 5072
@ -54,8 +55,8 @@
 1 992
 1 993
 1 995
-61 and
-60 or
-61 port
+62 and
+61 or
+62 port
 42 tcp
-19 udp
+20 udp
--- a/testing/btest/Baseline/core.tunnels.vxlan/conn.log
+++ b/testing/btest/Baseline/core.tunnels.vxlan/conn.log
@ -0,0 +1,14 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2019-03-12-03-29-46
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1467818432.676047	C4J4Th3PJpwUYZZ6gc	192.168.56.11	48134	192.168.56.12	4789	udp	vxlan	3.004434	424	0	S0	-	-	0	D	4	536	0	0	-
+1467818432.675392	CHhAvVGS1DHFjwGM9	192.168.56.11	39924	192.168.56.12	4789	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1467818432.675732	ClEkJM2Vm5giqnMf4h	192.168.56.12	40908	192.168.56.11	4789	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1467818432.676385	CUM0KZ3MLUfNB0cl11	192.168.56.12	38071	192.168.56.11	4789	udp	vxlan	3.004278	424	0	S0	-	-	0	D	4	536	0	0	-
+1467818432.676047	CtPZjS20MLrsMUOJi2	10.0.0.1	8	10.0.0.2	0	icmp	-	3.004616	224	224	OTH	-	-	0	-	4	336	4	336	CUM0KZ3MLUfNB0cl11,C4J4Th3PJpwUYZZ6gc
+#close	2019-03-12-03-29-46
--- a/testing/btest/Baseline/core.tunnels.vxlan/out
+++ b/testing/btest/Baseline/core.tunnels.vxlan/out
@ -0,0 +1,8 @@
+vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12111, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=36913, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
+vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12341, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37030, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
+vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12507, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37208, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
+vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12684, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37295, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
--- a/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log
@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2019-03-12-03-29-46
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1467818432.676047	C4J4Th3PJpwUYZZ6gc	192.168.56.11	48134	192.168.56.12	4789	Tunnel::VXLAN	Tunnel::DISCOVER
+1467818432.676385	CUM0KZ3MLUfNB0cl11	192.168.56.12	38071	192.168.56.11	4789	Tunnel::VXLAN	Tunnel::DISCOVER
+1467818435.680663	C4J4Th3PJpwUYZZ6gc	192.168.56.11	48134	192.168.56.12	4789	Tunnel::VXLAN	Tunnel::CLOSE
+1467818435.680663	CUM0KZ3MLUfNB0cl11	192.168.56.12	38071	192.168.56.11	4789	Tunnel::VXLAN	Tunnel::CLOSE
+#close	2019-03-12-03-29-46
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@ -154,6 +154,7 @@ scripts/base/init-frameworks-and-bifs.bro
    build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro
    build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
    build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.bro
    build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
    build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
    build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@ -154,6 +154,7 @@ scripts/base/init-frameworks-and-bifs.bro
    build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro
    build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
    build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.bro
    build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
    build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
    build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -61,6 +61,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR)) -> <no result>
@ -126,6 +127,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
@ -154,6 +156,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <no result>
@ -274,7 +277,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@ -459,7 +462,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@ -685,6 +688,7 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_UDP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_VXLAN.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) -> -1
@ -958,6 +962,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR))
@ -1023,6 +1028,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
@ -1051,6 +1057,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {5223<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_VXLAN, {4789/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
@ -1171,7 +1178,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@ -1356,7 +1363,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@ -1582,6 +1589,7 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_UDP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Unified2.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Unified2.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_VXLAN.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro)
@ -1855,6 +1863,7 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR)
@ -1920,6 +1929,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp})
@ -1948,6 +1958,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {5223<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, {4789/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Cluster::is_enabled()
 0.000000 | HookCallFunction Cluster::local_node_type()
@ -2067,7 +2078,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@ -2252,7 +2263,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@ -2478,6 +2489,7 @@
 0.000000 | HookLoadFile  .<...>/Bro_UDP.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_Unified2.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_Unified2.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_VXLAN.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_X509.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_X509.functions.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_X509.ocsp_events.bif.bro
@ -2684,7 +2696,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1552582539.914970, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
--- a/testing/btest/Traces/tunnels/vxlan.pcap
+++ b/testing/btest/Traces/tunnels/vxlan.pcap
--- a/testing/btest/core/tunnels/vxlan.bro
+++ b/testing/btest/core/tunnels/vxlan.bro
@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/vxlan.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+event vxlan_packet(c: connection, inner: pkt_hdr, vni: count)
+	{
+	print "vxlan_packet", c$id, inner, vni;
+	}
 @ -1 +1 @@
 .6-154
 .6-157