From b8f0acb5f1fca56c444cef6886e06f7f795749f8 Mon Sep 17 00:00:00 2001
From: Simeon Miteff <simeon.miteff@corelight.com>
Date: Mon, 15 Aug 2022 15:32:20 +1000
Subject: [PATCH 1/7] Add support for DLT_LINUX_SLL2 PCAP link-type

---
 scripts/base/packet-protocols/__load__.zeek   |   1 +
 .../packet-protocols/linux_sll2/__load__.zeek |   1 +
 .../packet-protocols/linux_sll2/main.zeek     |  11 +++++
 scripts/base/packet-protocols/root/main.zeek  |   2 +
 src/iosource/Packet.h                         |   4 +-
 src/packet_analysis/protocol/CMakeLists.txt   |   1 +
 .../protocol/linux_sll2/CMakeLists.txt        |   8 ++++
 .../protocol/linux_sll2/LinuxSLL2.cc          |  30 ++++++++++++++
 .../protocol/linux_sll2/LinuxSLL2.h           |  38 ++++++++++++++++++
 .../protocol/linux_sll2/Plugin.cc             |  27 +++++++++++++
 testing/btest/Baseline/core.linuxsll2/.stdout |   6 +++
 testing/btest/Traces/linux_dlt_sll2.pcap      | Bin 0 -> 672 bytes
 testing/btest/core/linuxsll2.zeek             |  17 ++++++++
 13 files changed, 144 insertions(+), 2 deletions(-)
 create mode 100644 scripts/base/packet-protocols/linux_sll2/__load__.zeek
 create mode 100644 scripts/base/packet-protocols/linux_sll2/main.zeek
 create mode 100644 src/packet_analysis/protocol/linux_sll2/CMakeLists.txt
 create mode 100644 src/packet_analysis/protocol/linux_sll2/LinuxSLL2.cc
 create mode 100644 src/packet_analysis/protocol/linux_sll2/LinuxSLL2.h
 create mode 100644 src/packet_analysis/protocol/linux_sll2/Plugin.cc
 create mode 100644 testing/btest/Baseline/core.linuxsll2/.stdout
 create mode 100644 testing/btest/Traces/linux_dlt_sll2.pcap
 create mode 100644 testing/btest/core/linuxsll2.zeek

diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek
index 5ea4cb93ef..08905878bd 100644
--- a/scripts/base/packet-protocols/__load__.zeek
+++ b/scripts/base/packet-protocols/__load__.zeek
@@ -8,6 +8,7 @@
 @load base/packet-protocols/ieee802_11
 @load base/packet-protocols/ieee802_11_radio
 @load base/packet-protocols/linux_sll
+@load base/packet-protocols/linux_sll2
 @load base/packet-protocols/nflog
 @load base/packet-protocols/null
 @load base/packet-protocols/ppp_serial
diff --git a/scripts/base/packet-protocols/linux_sll2/__load__.zeek b/scripts/base/packet-protocols/linux_sll2/__load__.zeek
new file mode 100644
index 0000000000..d551be57d3
--- /dev/null
+++ b/scripts/base/packet-protocols/linux_sll2/__load__.zeek
@@ -0,0 +1 @@
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/packet-protocols/linux_sll2/main.zeek b/scripts/base/packet-protocols/linux_sll2/main.zeek
new file mode 100644
index 0000000000..353dcab8b6
--- /dev/null
+++ b/scripts/base/packet-protocols/linux_sll2/main.zeek
@@ -0,0 +1,11 @@
+module PacketAnalyzer::LINUXSLL2;
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 0x0800, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 0x86DD, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 0x0806, PacketAnalyzer::ANALYZER_ARP);
+
+	# RARP
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 0x8035, PacketAnalyzer::ANALYZER_ARP);
+	}
diff --git a/scripts/base/packet-protocols/root/main.zeek b/scripts/base/packet-protocols/root/main.zeek
index f823e9f6c2..daca642329 100644
--- a/scripts/base/packet-protocols/root/main.zeek
+++ b/scripts/base/packet-protocols/root/main.zeek
@@ -10,6 +10,7 @@ const DLT_FDDI : count = 10;
 const DLT_IEEE802_11 : count = 105;
 const DLT_IEEE802_11_RADIO : count = 127;
 const DLT_LINUX_SLL : count = 113;
+const DLT_LINUX_SLL2 : count = 276;
 const DLT_NFLOG : count = 239;
 
 event zeek_init() &priority=20
@@ -19,5 +20,6 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_IEEE802_11, PacketAnalyzer::ANALYZER_IEEE802_11);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_IEEE802_11_RADIO, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_LINUX_SLL, PacketAnalyzer::ANALYZER_LINUXSLL);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_LINUX_SLL2, PacketAnalyzer::ANALYZER_LINUXSLL2);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_NFLOG, PacketAnalyzer::ANALYZER_NFLOG);
 	}
diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h
index b0db0a2b12..cedc235493 100644
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@@ -136,8 +136,8 @@ public:
 
 	/**
 	 * Empty layer 2 address to be used as default value. For example, the
-	 * LinuxSLL packet analyzer doesn't have a destination address in the
-	 * header and thus sets it to this default address.
+	 * LinuxSLL/LinuxSLL2 packet analyzers don't have a destination address
+	 * in the header and thus sets it to this default address.
 	 */
 	static constexpr const u_char L2_EMPTY_ADDR[L2_ADDR_LEN] = {0};
 
diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt
index e325816351..63f8c03928 100644
--- a/src/packet_analysis/protocol/CMakeLists.txt
+++ b/src/packet_analysis/protocol/CMakeLists.txt
@@ -12,6 +12,7 @@ add_subdirectory(fddi)
 add_subdirectory(nflog)
 add_subdirectory(mpls)
 add_subdirectory(linux_sll)
+add_subdirectory(linux_sll2)
 
 add_subdirectory(arp)
 add_subdirectory(ip)
diff --git a/src/packet_analysis/protocol/linux_sll2/CMakeLists.txt b/src/packet_analysis/protocol/linux_sll2/CMakeLists.txt
new file mode 100644
index 0000000000..75bc2cb0b6
--- /dev/null
+++ b/src/packet_analysis/protocol/linux_sll2/CMakeLists.txt
@@ -0,0 +1,8 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(PacketAnalyzer LinuxSLL2)
+zeek_plugin_cc(LinuxSLL2.cc Plugin.cc)
+zeek_plugin_end()
diff --git a/src/packet_analysis/protocol/linux_sll2/LinuxSLL2.cc b/src/packet_analysis/protocol/linux_sll2/LinuxSLL2.cc
new file mode 100644
index 0000000000..49ea1f2492
--- /dev/null
+++ b/src/packet_analysis/protocol/linux_sll2/LinuxSLL2.cc
@@ -0,0 +1,30 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/linux_sll2/LinuxSLL2.h"
+
+using namespace zeek::packet_analysis::LinuxSLL2;
+
+LinuxSLL2Analyzer::LinuxSLL2Analyzer() : zeek::packet_analysis::Analyzer("LinuxSLL2") { }
+
+bool LinuxSLL2Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	auto len_sll2_hdr = sizeof(SLL2Header);
+	if ( len_sll2_hdr >= len )
+		{
+		Weird("truncated_Linux_SLL2_header", packet);
+		return false;
+		}
+
+	// Note: We assume to see an Ethertype and don't consider different ARPHRD_types
+	// (see https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL2.html)
+	auto hdr = (const SLL2Header*)data;
+
+	uint32_t protocol = ntohs(hdr->protocol_type);
+	packet->l2_src = (u_char*)&(hdr->addr);
+
+	// SLL doesn't include a destination address in the header, but not setting l2_dst to something
+	// here will cause crashes elsewhere.
+	packet->l2_dst = Packet::L2_EMPTY_ADDR;
+
+	return ForwardPacket(len - len_sll2_hdr, data + len_sll2_hdr, packet, protocol);
+	}
diff --git a/src/packet_analysis/protocol/linux_sll2/LinuxSLL2.h b/src/packet_analysis/protocol/linux_sll2/LinuxSLL2.h
new file mode 100644
index 0000000000..a1b20fdd9a
--- /dev/null
+++ b/src/packet_analysis/protocol/linux_sll2/LinuxSLL2.h
@@ -0,0 +1,38 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::LinuxSLL2
+	{
+
+class LinuxSLL2Analyzer : public Analyzer
+	{
+public:
+	LinuxSLL2Analyzer();
+	~LinuxSLL2Analyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<LinuxSLL2Analyzer>();
+		}
+
+private:
+	// Structure layout is based on https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL2.html
+	struct SLL2Header
+		{
+		uint16_t protocol_type;
+		uint16_t reserved;
+		uint32_t interface_index;
+		uint16_t arphrd_type;
+		uint8_t packet_type;
+		uint8_t addr_len;
+		uint64_t addr;
+		} __attribute__((__packed__));
+	};
+
+	}
diff --git a/src/packet_analysis/protocol/linux_sll2/Plugin.cc b/src/packet_analysis/protocol/linux_sll2/Plugin.cc
new file mode 100644
index 0000000000..f70f2fe139
--- /dev/null
+++ b/src/packet_analysis/protocol/linux_sll2/Plugin.cc
@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/linux_sll2/LinuxSLL2.h"
+
+namespace zeek::plugin::Zeek_LinuxSLL2
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"LinuxSLL2", zeek::packet_analysis::LinuxSLL2::LinuxSLL2Analyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::LinuxSLL2";
+		config.description = "Linux cooked capture version 2 (SLL2) packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}
diff --git a/testing/btest/Baseline/core.linuxsll2/.stdout b/testing/btest/Baseline/core.linuxsll2/.stdout
new file mode 100644
index 0000000000..e1f6cbe44f
--- /dev/null
+++ b/testing/btest/Baseline/core.linuxsll2/.stdout
@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[orig_h=192.0.2.1, orig_p=8/icmp, resp_h=192.0.2.1, resp_p=0/icmp], [v6=F, itype=8, icode=0, len=56, ttl=64], 8, 1
+[orig_h=192.0.2.1, orig_p=8/icmp, resp_h=192.0.2.1, resp_p=0/icmp], [v6=F, itype=0, icode=0, len=56, ttl=64], 8, 1
+[orig_h=fe80::8c36:6ff:fe44:acaf, orig_p=128/icmp, resp_h=fe80::8c36:6ff:fe44:acaf, resp_p=129/icmp], [v6=T, itype=128, icode=0, len=56, ttl=64], 9, 1
+[orig_h=fe80::8c36:6ff:fe44:acaf, orig_p=128/icmp, resp_h=fe80::8c36:6ff:fe44:acaf, resp_p=129/icmp], [v6=T, itype=129, icode=0, len=56, ttl=64], 9, 1
+8e:36:06:44:ac:af, 00:00:00:00:00:00, 192.0.2.1, 8e:36:06:44:ac:af, 192.0.2.2, 00:00:00:00:00:00
diff --git a/testing/btest/Traces/linux_dlt_sll2.pcap b/testing/btest/Traces/linux_dlt_sll2.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ec9bc31abcd55c0c59b6a8e714686492c178e49c
GIT binary patch
literal 672
zcmca|c+)~A1{MYcU||qpWMFu?_h*u`KQBWDPy&QGAPN|nSs2)0YF!x^Le}><FgP%>
zOC4ZfVgz9hhO{j}#f%{RAa#%Yc)`jA1cih}M8(7<B&DQfWaZ=)6qS@!RMpfqG_|yK
zboKNN42_IUOwG(e`Vxq-x0eBEue&77UIvCditPOXwD(ISBSQ_)wIJMf7wl{l|0b{=
zdcxpf<?ycoEXUAe#`gc8%bNA*{04><*BLk&7(r%&RIUb^3j)N30Z5-v6alyJ9NbNe
zTN)XbQ{<M9hkqtbyvo5~0CYbHb3kHWih+@Zt<Q`N=zE|bFxJ^v7#JaZP>cY@fB?v1
QLf7A53YNmApBbBe06TPor~m)}

literal 0
HcmV?d00001

diff --git a/testing/btest/core/linuxsll2.zeek b/testing/btest/core/linuxsll2.zeek
new file mode 100644
index 0000000000..a436eedc64
--- /dev/null
+++ b/testing/btest/core/linuxsll2.zeek
@@ -0,0 +1,17 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/linux_dlt_sll2.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+        {
+        print mac_src, mac_dst, SPA, SHA, TPA, THA;
+        }
+
+event icmp_echo_request(c: connection , info: icmp_info , id: count , seq: count , payload: string )
+        {
+        print c$id, info, id, seq;
+        }
+
+event icmp_echo_reply(c: connection , info: icmp_info , id: count , seq: count , payload: string )
+        {
+        print c$id, info, id, seq;
+        }

From 0bfec347329d6542229b7b39a968e14dfd5a3767 Mon Sep 17 00:00:00 2001
From: Simeon Miteff <simeon.miteff@corelight.com>
Date: Tue, 16 Aug 2022 09:35:43 +1000
Subject: [PATCH 2/7] Update plugins/hooks baseline

---
 testing/btest/Baseline/plugins.hooks/output | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 831f460d87..48bafbae32 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -619,6 +619,10 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NFLOG, 10, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NFLOG, 2, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 2, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -637,6 +641,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 113, PacketAnalyzer::ANALYZER_LINUXSLL)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
@@ -1025,6 +1030,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/irc, <...>/irc) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/krb, <...>/krb) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/linux_sll, <...>/linux_sll) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/linux_sll2, <...>/linux_sll2) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging, <...>/logging) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/main, <...>/main.zeek) -> -1
@@ -1409,6 +1415,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/irc, <...>/irc) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/krb, <...>/krb) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/linux_sll2, <...>/linux_sll2) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging, <...>/logging) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/main, <...>/main.zeek) -> (-1, <no content>)
@@ -2122,6 +2129,10 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 34525, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 2048, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 2054, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 32821, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 34525, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NFLOG, 10, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NFLOG, 2, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 2, PacketAnalyzer::ANALYZER_IP))
@@ -2140,6 +2151,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 113, PacketAnalyzer::ANALYZER_LINUXSLL))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1))
@@ -2528,6 +2540,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/irc, <...>/irc)
 0.000000   MetaHookPre   LoadFile(0, base<...>/krb, <...>/krb)
 0.000000   MetaHookPre   LoadFile(0, base<...>/linux_sll, <...>/linux_sll)
+0.000000   MetaHookPre   LoadFile(0, base<...>/linux_sll2, <...>/linux_sll2)
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/main, <...>/main.zeek)
@@ -2912,6 +2925,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/irc, <...>/irc)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/krb, <...>/krb)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/linux_sll2, <...>/linux_sll2)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/main, <...>/main.zeek)
@@ -3624,6 +3638,10 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 34525, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 2048, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 2054, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 32821, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 34525, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NFLOG, 10, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NFLOG, 2, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 2, PacketAnalyzer::ANALYZER_IP)
@@ -3642,6 +3660,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 113, PacketAnalyzer::ANALYZER_LINUXSLL)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)
@@ -4042,6 +4061,7 @@
 0.000000 | HookLoadFile  base<...>/irc <...>/irc
 0.000000 | HookLoadFile  base<...>/krb <...>/krb
 0.000000 | HookLoadFile  base<...>/linux_sll <...>/linux_sll
+0.000000 | HookLoadFile  base<...>/linux_sll2 <...>/linux_sll2
 0.000000 | HookLoadFile  base<...>/logging <...>/logging
 0.000000 | HookLoadFile  base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFile  base<...>/main <...>/main.zeek
@@ -4426,6 +4446,7 @@
 0.000000 | HookLoadFileExtended base<...>/irc <...>/irc
 0.000000 | HookLoadFileExtended base<...>/krb <...>/krb
 0.000000 | HookLoadFileExtended base<...>/linux_sll <...>/linux_sll
+0.000000 | HookLoadFileExtended base<...>/linux_sll2 <...>/linux_sll2
 0.000000 | HookLoadFileExtended base<...>/logging <...>/logging
 0.000000 | HookLoadFileExtended base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/main <...>/main.zeek

From 2a22eb40784adeacd03ef1f13b8dcdb30e71e594 Mon Sep 17 00:00:00 2001
From: Simeon Miteff <simeon.miteff@corelight.com>
Date: Tue, 16 Aug 2022 13:47:33 +1000
Subject: [PATCH 3/7] Update some coverage baselines

---
 .../coverage.bare-load-baseline/canonified_loaded_scripts.log   | 2 ++
 .../canonified_loaded_scripts.log                               | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 0bb0cb3630..9ec8d13098 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -43,6 +43,8 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/ieee802_11_radio/main.zeek
     scripts/base/packet-protocols/linux_sll/__load__.zeek
       scripts/base/packet-protocols/linux_sll/main.zeek
+    scripts/base/packet-protocols/linux_sll2/__load__.zeek
+      scripts/base/packet-protocols/linux_sll2/main.zeek
     scripts/base/packet-protocols/nflog/__load__.zeek
       scripts/base/packet-protocols/nflog/main.zeek
     scripts/base/packet-protocols/null/__load__.zeek
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 754e4fa866..b90a915198 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -43,6 +43,8 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/ieee802_11_radio/main.zeek
     scripts/base/packet-protocols/linux_sll/__load__.zeek
       scripts/base/packet-protocols/linux_sll/main.zeek
+    scripts/base/packet-protocols/linux_sll2/__load__.zeek
+      scripts/base/packet-protocols/linux_sll2/main.zeek
     scripts/base/packet-protocols/nflog/__load__.zeek
       scripts/base/packet-protocols/nflog/main.zeek
     scripts/base/packet-protocols/null/__load__.zeek

From bfcc45709345296c1827ffd55b063674715f9571 Mon Sep 17 00:00:00 2001
From: Simeon Miteff <simeon.miteff@corelight.com>
Date: Thu, 18 Aug 2022 09:29:04 +1000
Subject: [PATCH 4/7] Force event order in core/init-error btest

See https://github.com/zeek/zeek/pull/2340#issuecomment-1218131444
---
 testing/btest/core/init-error.zeek | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/btest/core/init-error.zeek b/testing/btest/core/init-error.zeek
index 70c9239bad..a8f49147df 100644
--- a/testing/btest/core/init-error.zeek
+++ b/testing/btest/core/init-error.zeek
@@ -9,7 +9,7 @@ event zeek_init() &priority=10
 	print "1st event";
 	}
 
-event zeek_init() &priority=10
+event zeek_init()
 	{
 	print "2nd event";
 	local v = vector(1, 2, 3);

From e9eed201698fc4a5e1be71d275fc6dfa35829857 Mon Sep 17 00:00:00 2001
From: Simeon Miteff <simeon.miteff@corelight.com>
Date: Thu, 18 Aug 2022 17:18:52 +1000
Subject: [PATCH 5/7] Set flag for libpcap without DLT_LINUX_SLL2

Requires
https://github.com/zeek/cmake/commit/6fd82a7e1d626f68ebf616b45f9bec11ca49d295

Submodule edited until that can be merged.
---
 .gitmodules      | 2 +-
 zeek-config.h.in | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.gitmodules b/.gitmodules
index b43d81ffad..55fc47863e 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -12,7 +12,7 @@
 	url = https://github.com/zeek/btest
 [submodule "cmake"]
 	path = cmake
-	url = https://github.com/zeek/cmake
+	url = https://github.com/simeonmiteff/zeek-cmake
 [submodule "src/3rdparty"]
 	path = src/3rdparty
 	url = https://github.com/zeek/zeek-3rdparty
diff --git a/zeek-config.h.in b/zeek-config.h.in
index 68381ec7ac..c80368c2da 100644
--- a/zeek-config.h.in
+++ b/zeek-config.h.in
@@ -4,6 +4,8 @@
    pcap_compile_nopcap */
 #cmakedefine DONT_HAVE_LIBPCAP_PCAP_FREECODE
 
+#cmakedefine DONT_HAVE_LIBPCAP_DLT_LINUX_SLL2
+
 /* should explicitly declare socket() and friends */
 #cmakedefine DO_SOCK_DECL
 

From 74cc5dcd6bda6926633753502de54f4891e55287 Mon Sep 17 00:00:00 2001
From: Simeon Miteff <simeon.miteff@corelight.com>
Date: Thu, 18 Aug 2022 17:19:44 +1000
Subject: [PATCH 6/7] Skip test based on preprocessor flag set by cmake

Relies on change in d42dcb2d55029975a6a6b2e6378fc49a268631ec
---
 testing/btest/core/linuxsll2.zeek | 1 +
 1 file changed, 1 insertion(+)

diff --git a/testing/btest/core/linuxsll2.zeek b/testing/btest/core/linuxsll2.zeek
index a436eedc64..49a270c08b 100644
--- a/testing/btest/core/linuxsll2.zeek
+++ b/testing/btest/core/linuxsll2.zeek
@@ -1,3 +1,4 @@
+# @TEST-REQUIRES: ! grep -q "#define DONT_HAVE_LIBPCAP_DLT_LINUX_SLL2" $BUILD/zeek-config.h
 # @TEST-EXEC: zeek -b -C -r $TRACES/linux_dlt_sll2.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 

From 3582e41838a2410e69e590540a229fd635d11e6e Mon Sep 17 00:00:00 2001
From: Simeon Miteff <simeon.miteff@corelight.com>
Date: Thu, 18 Aug 2022 22:13:08 +1000
Subject: [PATCH 7/7] Pull changes from zeek/cmake fork

---
 cmake | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmake b/cmake
index c37351c8b1..6fd82a7e1d 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit c37351c8b1c09ad2479ed4c0ebb5cad339d3ccfd
+Subproject commit 6fd82a7e1d626f68ebf616b45f9bec11ca49d295