Merge remote-tracking branch 'simeonmiteff/master'

* simeonmiteff/master:
  Pull changes from zeek/cmake fork
  Skip test based on preprocessor flag set by cmake
  Set flag for libpcap without DLT_LINUX_SLL2
  Force event order in core/init-error btest
  Update some coverage baselines
  Update plugins/hooks baseline
  Add support for DLT_LINUX_SLL2 PCAP link-type

CHANGES

@@ -1,3 +1,22 @@
+5.1.0-dev.450 | 2022-08-24 09:22:47 -0700
+
+  * Skip test based on preprocessor flag set by cmake (Simeon Miteff, Corelight)
+
+    Relies on change in d42dcb2d55029975a6a6b2e6378fc49a268631ec
+
+  * Set flag for libpcap without DLT_LINUX_SLL2 (Simeon Miteff, Corelight)
+
+    Requires
+    https://github.com/zeek/cmake/commit/6fd82a7e1d626f68ebf616b45f9bec11ca49d295
+
+    Submodule edited until that can be merged.
+
+  * Force event order in core/init-error btest (Simeon Miteff, Corelight)
+
+    See https://github.com/zeek/zeek/pull/2340#issuecomment-1218131444
+
+  * Add support for DLT_LINUX_SLL2 PCAP link-type (Simeon Miteff, Corelight)
+
 5.1.0-dev.442 | 2022-08-24 13:22:17 +0100
 
   * Add Broker::metrics_import_topics (Arne Welzel & Dominik Charousset, both Corelight)

VERSION

@@ -1 +1 @@
-5.1.0-dev.442
+5.1.0-dev.450

cmake

@@ -1 +1 @@
-Subproject commit c37351c8b1c09ad2479ed4c0ebb5cad339d3ccfd
+Subproject commit fcccb2bd4dfd8698a121a47f91abdcde1325fa69

scripts/base/packet-protocols/__load__.zeek

@@ -8,6 +8,7 @@
 @load base/packet-protocols/ieee802_11
 @load base/packet-protocols/ieee802_11_radio
 @load base/packet-protocols/linux_sll
+@load base/packet-protocols/linux_sll2
 @load base/packet-protocols/nflog
 @load base/packet-protocols/null
 @load base/packet-protocols/ppp_serial

scripts/base/packet-protocols/linux_sll2/__load__.zeek

@@ -0,0 +1 @@
+@load ./main

scripts/base/packet-protocols/linux_sll2/main.zeek

@@ -0,0 +1,11 @@
+module PacketAnalyzer::LINUXSLL2;
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 0x0800, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 0x86DD, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 0x0806, PacketAnalyzer::ANALYZER_ARP);
+
+	# RARP
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 0x8035, PacketAnalyzer::ANALYZER_ARP);
+	}

scripts/base/packet-protocols/root/main.zeek

@@ -10,6 +10,7 @@ const DLT_FDDI : count = 10;
 const DLT_IEEE802_11 : count = 105;
 const DLT_IEEE802_11_RADIO : count = 127;
 const DLT_LINUX_SLL : count = 113;
+const DLT_LINUX_SLL2 : count = 276;
 const DLT_NFLOG : count = 239;
 
 event zeek_init() &priority=20
@@ -19,5 +20,6 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_IEEE802_11, PacketAnalyzer::ANALYZER_IEEE802_11);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_IEEE802_11_RADIO, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_LINUX_SLL, PacketAnalyzer::ANALYZER_LINUXSLL);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_LINUX_SLL2, PacketAnalyzer::ANALYZER_LINUXSLL2);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_NFLOG, PacketAnalyzer::ANALYZER_NFLOG);
 	}

src/iosource/Packet.h

@@ -136,8 +136,8 @@ public:
 
 	/**
 	 * Empty layer 2 address to be used as default value. For example, the
-	 * LinuxSLL packet analyzer doesn't have a destination address in the
+	 * LinuxSLL/LinuxSLL2 packet analyzers don't have a destination address
-	 * header and thus sets it to this default address.
+	 * in the header and thus sets it to this default address.
 	 */
 	static constexpr const u_char L2_EMPTY_ADDR[L2_ADDR_LEN] = {0};
 

src/packet_analysis/protocol/CMakeLists.txt

@@ -12,6 +12,7 @@ add_subdirectory(fddi)
 add_subdirectory(nflog)
 add_subdirectory(mpls)
 add_subdirectory(linux_sll)
+add_subdirectory(linux_sll2)
 
 add_subdirectory(arp)
 add_subdirectory(ip)

src/packet_analysis/protocol/linux_sll2/CMakeLists.txt

@@ -0,0 +1,8 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(PacketAnalyzer LinuxSLL2)
+zeek_plugin_cc(LinuxSLL2.cc Plugin.cc)
+zeek_plugin_end()

src/packet_analysis/protocol/linux_sll2/LinuxSLL2.cc

@@ -0,0 +1,30 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/linux_sll2/LinuxSLL2.h"
+
+using namespace zeek::packet_analysis::LinuxSLL2;
+
+LinuxSLL2Analyzer::LinuxSLL2Analyzer() : zeek::packet_analysis::Analyzer("LinuxSLL2") { }
+
+bool LinuxSLL2Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	auto len_sll2_hdr = sizeof(SLL2Header);
+	if ( len_sll2_hdr >= len )
+		{
+		Weird("truncated_Linux_SLL2_header", packet);
+		return false;
+		}
+
+	// Note: We assume to see an Ethertype and don't consider different ARPHRD_types
+	// (see https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL2.html)
+	auto hdr = (const SLL2Header*)data;
+
+	uint32_t protocol = ntohs(hdr->protocol_type);
+	packet->l2_src = (u_char*)&(hdr->addr);
+
+	// SLL doesn't include a destination address in the header, but not setting l2_dst to something
+	// here will cause crashes elsewhere.
+	packet->l2_dst = Packet::L2_EMPTY_ADDR;
+
+	return ForwardPacket(len - len_sll2_hdr, data + len_sll2_hdr, packet, protocol);
+	}

src/packet_analysis/protocol/linux_sll2/LinuxSLL2.h

@@ -0,0 +1,38 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::LinuxSLL2
+	{
+
+class LinuxSLL2Analyzer : public Analyzer
+	{
+public:
+	LinuxSLL2Analyzer();
+	~LinuxSLL2Analyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<LinuxSLL2Analyzer>();
+		}
+
+private:
+	// Structure layout is based on https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL2.html
+	struct SLL2Header
+		{
+		uint16_t protocol_type;
+		uint16_t reserved;
+		uint32_t interface_index;
+		uint16_t arphrd_type;
+		uint8_t packet_type;
+		uint8_t addr_len;
+		uint64_t addr;
+		} __attribute__((__packed__));
+	};
+
+	}

src/packet_analysis/protocol/linux_sll2/Plugin.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/linux_sll2/LinuxSLL2.h"
+
+namespace zeek::plugin::Zeek_LinuxSLL2
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"LinuxSLL2", zeek::packet_analysis::LinuxSLL2::LinuxSLL2Analyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::LinuxSLL2";
+		config.description = "Linux cooked capture version 2 (SLL2) packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}

testing/btest/Baseline/core.linuxsll2/.stdout

@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[orig_h=192.0.2.1, orig_p=8/icmp, resp_h=192.0.2.1, resp_p=0/icmp], [v6=F, itype=8, icode=0, len=56, ttl=64], 8, 1
+[orig_h=192.0.2.1, orig_p=8/icmp, resp_h=192.0.2.1, resp_p=0/icmp], [v6=F, itype=0, icode=0, len=56, ttl=64], 8, 1
+[orig_h=fe80::8c36:6ff:fe44:acaf, orig_p=128/icmp, resp_h=fe80::8c36:6ff:fe44:acaf, resp_p=129/icmp], [v6=T, itype=128, icode=0, len=56, ttl=64], 9, 1
+[orig_h=fe80::8c36:6ff:fe44:acaf, orig_p=128/icmp, resp_h=fe80::8c36:6ff:fe44:acaf, resp_p=129/icmp], [v6=T, itype=129, icode=0, len=56, ttl=64], 9, 1
+8e:36:06:44:ac:af, 00:00:00:00:00:00, 192.0.2.1, 8e:36:06:44:ac:af, 192.0.2.2, 00:00:00:00:00:00

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -43,6 +43,8 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/ieee802_11_radio/main.zeek
     scripts/base/packet-protocols/linux_sll/__load__.zeek
       scripts/base/packet-protocols/linux_sll/main.zeek
+    scripts/base/packet-protocols/linux_sll2/__load__.zeek
+      scripts/base/packet-protocols/linux_sll2/main.zeek
     scripts/base/packet-protocols/nflog/__load__.zeek
       scripts/base/packet-protocols/nflog/main.zeek
     scripts/base/packet-protocols/null/__load__.zeek

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -43,6 +43,8 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/ieee802_11_radio/main.zeek
     scripts/base/packet-protocols/linux_sll/__load__.zeek
       scripts/base/packet-protocols/linux_sll/main.zeek
+    scripts/base/packet-protocols/linux_sll2/__load__.zeek
+      scripts/base/packet-protocols/linux_sll2/main.zeek
     scripts/base/packet-protocols/nflog/__load__.zeek
       scripts/base/packet-protocols/nflog/main.zeek
     scripts/base/packet-protocols/null/__load__.zeek

testing/btest/Baseline/plugins.hooks/output

@@ -623,6 +623,10 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NFLOG, 10, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NFLOG, 2, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 2, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -641,6 +645,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 113, PacketAnalyzer::ANALYZER_LINUXSLL)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
@@ -1029,6 +1034,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/irc, <...>/irc) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/krb, <...>/krb) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/linux_sll, <...>/linux_sll) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/linux_sll2, <...>/linux_sll2) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging, <...>/logging) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/main, <...>/main.zeek) -> -1
@@ -1413,6 +1419,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/irc, <...>/irc) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/krb, <...>/krb) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/linux_sll2, <...>/linux_sll2) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging, <...>/logging) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/main, <...>/main.zeek) -> (-1, <no content>)
@@ -2130,6 +2137,10 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 34525, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 2048, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 2054, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 32821, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL2, 34525, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NFLOG, 10, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NFLOG, 2, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 2, PacketAnalyzer::ANALYZER_IP))
@@ -2148,6 +2159,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 113, PacketAnalyzer::ANALYZER_LINUXSLL))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1))
@@ -2536,6 +2548,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/irc, <...>/irc)
 0.000000   MetaHookPre   LoadFile(0, base<...>/krb, <...>/krb)
 0.000000   MetaHookPre   LoadFile(0, base<...>/linux_sll, <...>/linux_sll)
+0.000000   MetaHookPre   LoadFile(0, base<...>/linux_sll2, <...>/linux_sll2)
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/main, <...>/main.zeek)
@@ -2920,6 +2933,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/irc, <...>/irc)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/krb, <...>/krb)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/linux_sll2, <...>/linux_sll2)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/main, <...>/main.zeek)
@@ -3636,6 +3650,10 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 34525, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 2048, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 2054, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 32821, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL2, 34525, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NFLOG, 10, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NFLOG, 2, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 2, PacketAnalyzer::ANALYZER_IP)
@@ -3654,6 +3672,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 113, PacketAnalyzer::ANALYZER_LINUXSLL)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)
@@ -4054,6 +4073,7 @@
 0.000000 | HookLoadFile  base<...>/irc <...>/irc
 0.000000 | HookLoadFile  base<...>/krb <...>/krb
 0.000000 | HookLoadFile  base<...>/linux_sll <...>/linux_sll
+0.000000 | HookLoadFile  base<...>/linux_sll2 <...>/linux_sll2
 0.000000 | HookLoadFile  base<...>/logging <...>/logging
 0.000000 | HookLoadFile  base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFile  base<...>/main <...>/main.zeek
@@ -4438,6 +4458,7 @@
 0.000000 | HookLoadFileExtended base<...>/irc <...>/irc
 0.000000 | HookLoadFileExtended base<...>/krb <...>/krb
 0.000000 | HookLoadFileExtended base<...>/linux_sll <...>/linux_sll
+0.000000 | HookLoadFileExtended base<...>/linux_sll2 <...>/linux_sll2
 0.000000 | HookLoadFileExtended base<...>/logging <...>/logging
 0.000000 | HookLoadFileExtended base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/main <...>/main.zeek

testing/btest/core/init-error.zeek

@@ -9,7 +9,7 @@ event zeek_init() &priority=10
 	print "1st event";
 	}
 
-event zeek_init() &priority=10
+event zeek_init()
 	{
 	print "2nd event";
 	local v = vector(1, 2, 3);

testing/btest/core/linuxsll2.zeek

@@ -0,0 +1,18 @@
+# @TEST-REQUIRES: ! grep -q "#define DONT_HAVE_LIBPCAP_DLT_LINUX_SLL2" $BUILD/zeek-config.h
+# @TEST-EXEC: zeek -b -C -r $TRACES/linux_dlt_sll2.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+        {
+        print mac_src, mac_dst, SPA, SHA, TPA, THA;
+        }
+
+event icmp_echo_request(c: connection , info: icmp_info , id: count , seq: count , payload: string )
+        {
+        print c$id, info, id, seq;
+        }
+
+event icmp_echo_reply(c: connection , info: icmp_info , id: count , seq: count , payload: string )
+        {
+        print c$id, info, id, seq;
+        }

zeek-config.h.in

@@ -4,6 +4,8 @@
    pcap_compile_nopcap */
 #cmakedefine DONT_HAVE_LIBPCAP_PCAP_FREECODE
 
+#cmakedefine DONT_HAVE_LIBPCAP_DLT_LINUX_SLL2
+
 /* should explicitly declare socket() and friends */
 #cmakedefine DO_SOCK_DECL