diff --git a/CHANGES b/CHANGES index ee374cd764..0637912b35 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,22 @@ +5.1.0-dev.450 | 2022-08-24 09:22:47 -0700 + + * Skip test based on preprocessor flag set by cmake (Simeon Miteff, Corelight) + + Relies on change in d42dcb2d55029975a6a6b2e6378fc49a268631ec + + * Set flag for libpcap without DLT_LINUX_SLL2 (Simeon Miteff, Corelight) + + Requires + https://github.com/zeek/cmake/commit/6fd82a7e1d626f68ebf616b45f9bec11ca49d295 + + Submodule edited until that can be merged. + + * Force event order in core/init-error btest (Simeon Miteff, Corelight) + + See https://github.com/zeek/zeek/pull/2340#issuecomment-1218131444 + + * Add support for DLT_LINUX_SLL2 PCAP link-type (Simeon Miteff, Corelight) + 5.1.0-dev.442 | 2022-08-24 13:22:17 +0100 * Add Broker::metrics_import_topics (Arne Welzel & Dominik Charousset, both Corelight) diff --git a/VERSION b/VERSION index 5676495ec4..bcc806b766 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -5.1.0-dev.442 +5.1.0-dev.450 diff --git a/cmake b/cmake index c37351c8b1..fcccb2bd4d 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit c37351c8b1c09ad2479ed4c0ebb5cad339d3ccfd +Subproject commit fcccb2bd4dfd8698a121a47f91abdcde1325fa69 diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index 5ea4cb93ef..08905878bd 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -8,6 +8,7 @@ @load base/packet-protocols/ieee802_11 @load base/packet-protocols/ieee802_11_radio @load base/packet-protocols/linux_sll +@load base/packet-protocols/linux_sll2 @load base/packet-protocols/nflog @load base/packet-protocols/null @load base/packet-protocols/ppp_serial diff --git a/scripts/base/packet-protocols/linux_sll2/__load__.zeek b/scripts/base/packet-protocols/linux_sll2/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/packet-protocols/linux_sll2/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/packet-protocols/linux_sll2/main.zeek b/scripts/base/packet-protocols/linux_sll2/main.zeek new file mode 100644 index 0000000000..353dcab8b6 --- /dev/null +++ b/scripts/base/packet-protocols/linux_sll2/main.zeek @@ -0,0 +1,11 @@ +module PacketAnalyzer::LINUXSLL2; + +event zeek_init() &priority=20 + { + PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 0x0800, PacketAnalyzer::ANALYZER_IP); + PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 0x86DD, PacketAnalyzer::ANALYZER_IP); + PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 0x0806, PacketAnalyzer::ANALYZER_ARP); + + # RARP + PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 0x8035, PacketAnalyzer::ANALYZER_ARP); + } diff --git a/scripts/base/packet-protocols/root/main.zeek b/scripts/base/packet-protocols/root/main.zeek index f823e9f6c2..daca642329 100644 --- a/scripts/base/packet-protocols/root/main.zeek +++ b/scripts/base/packet-protocols/root/main.zeek @@ -10,6 +10,7 @@ const DLT_FDDI : count = 10; const DLT_IEEE802_11 : count = 105; const DLT_IEEE802_11_RADIO : count = 127; const DLT_LINUX_SLL : count = 113; +const DLT_LINUX_SLL2 : count = 276; const DLT_NFLOG : count = 239; event zeek_init() &priority=20 @@ -19,5 +20,6 @@ event zeek_init() &priority=20 PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_IEEE802_11, PacketAnalyzer::ANALYZER_IEEE802_11); PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_IEEE802_11_RADIO, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO); PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_LINUX_SLL, PacketAnalyzer::ANALYZER_LINUXSLL); + PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_LINUX_SLL2, PacketAnalyzer::ANALYZER_LINUXSLL2); PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_NFLOG, PacketAnalyzer::ANALYZER_NFLOG); } diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index b0db0a2b12..cedc235493 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -136,8 +136,8 @@ public: /** * Empty layer 2 address to be used as default value. For example, the - * LinuxSLL packet analyzer doesn't have a destination address in the - * header and thus sets it to this default address. + * LinuxSLL/LinuxSLL2 packet analyzers don't have a destination address + * in the header and thus sets it to this default address. */ static constexpr const u_char L2_EMPTY_ADDR[L2_ADDR_LEN] = {0}; diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index e325816351..63f8c03928 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -12,6 +12,7 @@ add_subdirectory(fddi) add_subdirectory(nflog) add_subdirectory(mpls) add_subdirectory(linux_sll) +add_subdirectory(linux_sll2) add_subdirectory(arp) add_subdirectory(ip) diff --git a/src/packet_analysis/protocol/linux_sll2/CMakeLists.txt b/src/packet_analysis/protocol/linux_sll2/CMakeLists.txt new file mode 100644 index 0000000000..75bc2cb0b6 --- /dev/null +++ b/src/packet_analysis/protocol/linux_sll2/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(PacketAnalyzer LinuxSLL2) +zeek_plugin_cc(LinuxSLL2.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/packet_analysis/protocol/linux_sll2/LinuxSLL2.cc b/src/packet_analysis/protocol/linux_sll2/LinuxSLL2.cc new file mode 100644 index 0000000000..49ea1f2492 --- /dev/null +++ b/src/packet_analysis/protocol/linux_sll2/LinuxSLL2.cc @@ -0,0 +1,30 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "zeek/packet_analysis/protocol/linux_sll2/LinuxSLL2.h" + +using namespace zeek::packet_analysis::LinuxSLL2; + +LinuxSLL2Analyzer::LinuxSLL2Analyzer() : zeek::packet_analysis::Analyzer("LinuxSLL2") { } + +bool LinuxSLL2Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) + { + auto len_sll2_hdr = sizeof(SLL2Header); + if ( len_sll2_hdr >= len ) + { + Weird("truncated_Linux_SLL2_header", packet); + return false; + } + + // Note: We assume to see an Ethertype and don't consider different ARPHRD_types + // (see https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL2.html) + auto hdr = (const SLL2Header*)data; + + uint32_t protocol = ntohs(hdr->protocol_type); + packet->l2_src = (u_char*)&(hdr->addr); + + // SLL doesn't include a destination address in the header, but not setting l2_dst to something + // here will cause crashes elsewhere. + packet->l2_dst = Packet::L2_EMPTY_ADDR; + + return ForwardPacket(len - len_sll2_hdr, data + len_sll2_hdr, packet, protocol); + } diff --git a/src/packet_analysis/protocol/linux_sll2/LinuxSLL2.h b/src/packet_analysis/protocol/linux_sll2/LinuxSLL2.h new file mode 100644 index 0000000000..a1b20fdd9a --- /dev/null +++ b/src/packet_analysis/protocol/linux_sll2/LinuxSLL2.h @@ -0,0 +1,38 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include "zeek/packet_analysis/Analyzer.h" +#include "zeek/packet_analysis/Component.h" + +namespace zeek::packet_analysis::LinuxSLL2 + { + +class LinuxSLL2Analyzer : public Analyzer + { +public: + LinuxSLL2Analyzer(); + ~LinuxSLL2Analyzer() override = default; + + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + + static zeek::packet_analysis::AnalyzerPtr Instantiate() + { + return std::make_shared(); + } + +private: + // Structure layout is based on https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL2.html + struct SLL2Header + { + uint16_t protocol_type; + uint16_t reserved; + uint32_t interface_index; + uint16_t arphrd_type; + uint8_t packet_type; + uint8_t addr_len; + uint64_t addr; + } __attribute__((__packed__)); + }; + + } diff --git a/src/packet_analysis/protocol/linux_sll2/Plugin.cc b/src/packet_analysis/protocol/linux_sll2/Plugin.cc new file mode 100644 index 0000000000..f70f2fe139 --- /dev/null +++ b/src/packet_analysis/protocol/linux_sll2/Plugin.cc @@ -0,0 +1,27 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "zeek/plugin/Plugin.h" + +#include "zeek/packet_analysis/Component.h" +#include "zeek/packet_analysis/protocol/linux_sll2/LinuxSLL2.h" + +namespace zeek::plugin::Zeek_LinuxSLL2 + { + +class Plugin : public zeek::plugin::Plugin + { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::packet_analysis::Component( + "LinuxSLL2", zeek::packet_analysis::LinuxSLL2::LinuxSLL2Analyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::LinuxSLL2"; + config.description = "Linux cooked capture version 2 (SLL2) packet analyzer"; + return config; + } + + } plugin; + + } diff --git a/testing/btest/Baseline/core.linuxsll2/.stdout b/testing/btest/Baseline/core.linuxsll2/.stdout new file mode 100644 index 0000000000..e1f6cbe44f --- /dev/null +++ b/testing/btest/Baseline/core.linuxsll2/.stdout @@ -0,0 +1,6 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +[orig_h=192.0.2.1, orig_p=8/icmp, resp_h=192.0.2.1, resp_p=0/icmp], [v6=F, itype=8, icode=0, len=56, ttl=64], 8, 1 +[orig_h=192.0.2.1, orig_p=8/icmp, resp_h=192.0.2.1, resp_p=0/icmp], [v6=F, itype=0, icode=0, len=56, ttl=64], 8, 1 +[orig_h=fe80::8c36:6ff:fe44:acaf, orig_p=128/icmp, resp_h=fe80::8c36:6ff:fe44:acaf, resp_p=129/icmp], [v6=T, itype=128, icode=0, len=56, ttl=64], 9, 1 +[orig_h=fe80::8c36:6ff:fe44:acaf, orig_p=128/icmp, resp_h=fe80::8c36:6ff:fe44:acaf, resp_p=129/icmp], [v6=T, itype=129, icode=0, len=56, ttl=64], 9, 1 +8e:36:06:44:ac:af, 00:00:00:00:00:00, 192.0.2.1, 8e:36:06:44:ac:af, 192.0.2.2, 00:00:00:00:00:00 diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 0bb0cb3630..9ec8d13098 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -43,6 +43,8 @@ scripts/base/init-bare.zeek scripts/base/packet-protocols/ieee802_11_radio/main.zeek scripts/base/packet-protocols/linux_sll/__load__.zeek scripts/base/packet-protocols/linux_sll/main.zeek + scripts/base/packet-protocols/linux_sll2/__load__.zeek + scripts/base/packet-protocols/linux_sll2/main.zeek scripts/base/packet-protocols/nflog/__load__.zeek scripts/base/packet-protocols/nflog/main.zeek scripts/base/packet-protocols/null/__load__.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 754e4fa866..b90a915198 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -43,6 +43,8 @@ scripts/base/init-bare.zeek scripts/base/packet-protocols/ieee802_11_radio/main.zeek scripts/base/packet-protocols/linux_sll/__load__.zeek scripts/base/packet-protocols/linux_sll/main.zeek + scripts/base/packet-protocols/linux_sll2/__load__.zeek + scripts/base/packet-protocols/linux_sll2/main.zeek scripts/base/packet-protocols/nflog/__load__.zeek scripts/base/packet-protocols/nflog/main.zeek scripts/base/packet-protocols/null/__load__.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index d8ea271bdb..38b9de87c7 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -623,6 +623,10 @@ 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL, 34525, PacketAnalyzer::ANALYZER_IP)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL2, 2048, PacketAnalyzer::ANALYZER_IP)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL2, 2054, PacketAnalyzer::ANALYZER_ARP)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL2, 32821, PacketAnalyzer::ANALYZER_ARP)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL2, 34525, PacketAnalyzer::ANALYZER_IP)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_NFLOG, 10, PacketAnalyzer::ANALYZER_IP)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_NFLOG, 2, PacketAnalyzer::ANALYZER_IP)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_NULL, 2, PacketAnalyzer::ANALYZER_IP)) -> @@ -641,6 +645,7 @@ 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 113, PacketAnalyzer::ANALYZER_LINUXSLL)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)) -> @@ -1029,6 +1034,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/irc, <...>/irc) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/krb, <...>/krb) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/linux_sll, <...>/linux_sll) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/linux_sll2, <...>/linux_sll2) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/logging, <...>/logging) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/main, <...>/main.zeek) -> -1 @@ -1413,6 +1419,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, base<...>/irc, <...>/irc) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/krb, <...>/krb) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/linux_sll2, <...>/linux_sll2) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/logging, <...>/logging) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/main, <...>/main.zeek) -> (-1, ) @@ -2130,6 +2137,10 @@ 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL, 34525, PacketAnalyzer::ANALYZER_IP)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL2, 2048, PacketAnalyzer::ANALYZER_IP)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL2, 2054, PacketAnalyzer::ANALYZER_ARP)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL2, 32821, PacketAnalyzer::ANALYZER_ARP)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_LINUXSLL2, 34525, PacketAnalyzer::ANALYZER_IP)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_NFLOG, 10, PacketAnalyzer::ANALYZER_IP)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_NFLOG, 2, PacketAnalyzer::ANALYZER_IP)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_NULL, 2, PacketAnalyzer::ANALYZER_IP)) @@ -2148,6 +2159,7 @@ 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 113, PacketAnalyzer::ANALYZER_LINUXSLL)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)) @@ -2536,6 +2548,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/irc, <...>/irc) 0.000000 MetaHookPre LoadFile(0, base<...>/krb, <...>/krb) 0.000000 MetaHookPre LoadFile(0, base<...>/linux_sll, <...>/linux_sll) +0.000000 MetaHookPre LoadFile(0, base<...>/linux_sll2, <...>/linux_sll2) 0.000000 MetaHookPre LoadFile(0, base<...>/logging, <...>/logging) 0.000000 MetaHookPre LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/main, <...>/main.zeek) @@ -2920,6 +2933,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, base<...>/irc, <...>/irc) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/krb, <...>/krb) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/linux_sll2, <...>/linux_sll2) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/logging, <...>/logging) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/main, <...>/main.zeek) @@ -3636,6 +3650,10 @@ 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 34525, PacketAnalyzer::ANALYZER_IP) +0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 2048, PacketAnalyzer::ANALYZER_IP) +0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 2054, PacketAnalyzer::ANALYZER_ARP) +0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 32821, PacketAnalyzer::ANALYZER_ARP) +0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 34525, PacketAnalyzer::ANALYZER_IP) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NFLOG, 10, PacketAnalyzer::ANALYZER_IP) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NFLOG, 2, PacketAnalyzer::ANALYZER_IP) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 2, PacketAnalyzer::ANALYZER_IP) @@ -3654,6 +3672,7 @@ 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 113, PacketAnalyzer::ANALYZER_LINUXSLL) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG) +0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1) @@ -4054,6 +4073,7 @@ 0.000000 | HookLoadFile base<...>/irc <...>/irc 0.000000 | HookLoadFile base<...>/krb <...>/krb 0.000000 | HookLoadFile base<...>/linux_sll <...>/linux_sll +0.000000 | HookLoadFile base<...>/linux_sll2 <...>/linux_sll2 0.000000 | HookLoadFile base<...>/logging <...>/logging 0.000000 | HookLoadFile base<...>/logging.bif <...>/logging.bif.zeek 0.000000 | HookLoadFile base<...>/main <...>/main.zeek @@ -4438,6 +4458,7 @@ 0.000000 | HookLoadFileExtended base<...>/irc <...>/irc 0.000000 | HookLoadFileExtended base<...>/krb <...>/krb 0.000000 | HookLoadFileExtended base<...>/linux_sll <...>/linux_sll +0.000000 | HookLoadFileExtended base<...>/linux_sll2 <...>/linux_sll2 0.000000 | HookLoadFileExtended base<...>/logging <...>/logging 0.000000 | HookLoadFileExtended base<...>/logging.bif <...>/logging.bif.zeek 0.000000 | HookLoadFileExtended base<...>/main <...>/main.zeek diff --git a/testing/btest/Traces/linux_dlt_sll2.pcap b/testing/btest/Traces/linux_dlt_sll2.pcap new file mode 100644 index 0000000000..ec9bc31abc Binary files /dev/null and b/testing/btest/Traces/linux_dlt_sll2.pcap differ diff --git a/testing/btest/core/init-error.zeek b/testing/btest/core/init-error.zeek index 70c9239bad..a8f49147df 100644 --- a/testing/btest/core/init-error.zeek +++ b/testing/btest/core/init-error.zeek @@ -9,7 +9,7 @@ event zeek_init() &priority=10 print "1st event"; } -event zeek_init() &priority=10 +event zeek_init() { print "2nd event"; local v = vector(1, 2, 3); diff --git a/testing/btest/core/linuxsll2.zeek b/testing/btest/core/linuxsll2.zeek new file mode 100644 index 0000000000..49a270c08b --- /dev/null +++ b/testing/btest/core/linuxsll2.zeek @@ -0,0 +1,18 @@ +# @TEST-REQUIRES: ! grep -q "#define DONT_HAVE_LIBPCAP_DLT_LINUX_SLL2" $BUILD/zeek-config.h +# @TEST-EXEC: zeek -b -C -r $TRACES/linux_dlt_sll2.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string) + { + print mac_src, mac_dst, SPA, SHA, TPA, THA; + } + +event icmp_echo_request(c: connection , info: icmp_info , id: count , seq: count , payload: string ) + { + print c$id, info, id, seq; + } + +event icmp_echo_reply(c: connection , info: icmp_info , id: count , seq: count , payload: string ) + { + print c$id, info, id, seq; + } diff --git a/zeek-config.h.in b/zeek-config.h.in index 68381ec7ac..c80368c2da 100644 --- a/zeek-config.h.in +++ b/zeek-config.h.in @@ -4,6 +4,8 @@ pcap_compile_nopcap */ #cmakedefine DONT_HAVE_LIBPCAP_PCAP_FREECODE +#cmakedefine DONT_HAVE_LIBPCAP_DLT_LINUX_SLL2 + /* should explicitly declare socket() and friends */ #cmakedefine DO_SOCK_DECL