Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add forwarding from VLAN analyzer into LLC, SNAP, and Novell 802.3 analyzers

Browse source
This commit is contained in:
Tim Wojtulewicz 2023-04-19 10:40:44 -07:00 committed by Tim Wojtulewicz
parent c5b8603218
commit 7aa7909c94
4 changed files with 63 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

16
scripts/base/packet-protocols/vlan/main.zeek
View file

@ -1,5 +1,14 @@
module PacketAnalyzer::VLAN;
export
{
# We use some magic numbers here to denote these. The values here are outside the range of the
# standard ethertypes, which should always be above 1536.
const SNAP_FORWARDING_KEY : count = 0x0001;
const NOVELL_FORWARDING_KEY : count = 0x0002;
const LLC_FORWARDING_KEY : count = 0x0003;
}
event zeek_init() &priority=20
{
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8847, PacketAnalyzer::ANALYZER_MPLS);
@ -10,4 +19,11 @@ event zeek_init() &priority=20
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8035, PacketAnalyzer::ANALYZER_ARP);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8100, PacketAnalyzer::ANALYZER_VLAN);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, SNAP_FORWARDING_KEY,
PacketAnalyzer::ANALYZER_SNAP);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, NOVELL_FORWARDING_KEY,
PacketAnalyzer::ANALYZER_NOVELL_802_3);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, LLC_FORWARDING_KEY,
PacketAnalyzer::ANALYZER_LLC);
}

37
src/packet_analysis/protocol/vlan/VLAN.cc
View file

@ -4,7 +4,12 @@
using namespace zeek::packet_analysis::VLAN;
VLANAnalyzer::VLANAnalyzer() : zeek::packet_analysis::Analyzer("VLAN") { }
VLANAnalyzer::VLANAnalyzer() : zeek::packet_analysis::Analyzer("VLAN")
{
snap_forwarding_key = id::find_val("PacketAnalyzer::VLAN::SNAP_FORWARDING_KEY")->AsCount();
novell_forwarding_key = id::find_val("PacketAnalyzer::VLAN::NOVELL_FORWARDING_KEY")->AsCount();
llc_forwarding_key = id::find_val("PacketAnalyzer::VLAN::LLC_FORWARDING_KEY")->AsCount();
}
bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
@ -17,8 +22,32 @@ bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet
auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan;
vlan_ref = ((data[0] << 8u) + data[1]) & 0xfff;
// Get the protocol/length field from the last 2 bytes of the header.
uint32_t protocol = ((data[2] << 8u) + data[3]);
packet->eth_type = protocol;
// Skip the VLAN header
return ForwardPacket(len - 4, data + 4, packet, protocol);
if ( protocol >= 1536 )
{
packet->eth_type = protocol;
// Skip the VLAN header
return ForwardPacket(len - 4, data + 4, packet, protocol);
}
if ( protocol <= 1500 )
{
// We use magic numbers here to denote the protocols for the forwarding. We know these
// numbers should be valid because any others used should be > 1500, as above.
if ( data[0] == 0xAA && data[1] == 0xAA )
// IEEE 802.2 SNAP
return ForwardPacket(len, data, packet, snap_forwarding_key);
else if ( data[0] == 0xFF && data[1] == 0xFF )
// Novell raw IEEE 802.3
return ForwardPacket(len, data, packet, novell_forwarding_key);
else
// IEEE 802.2 LLC
return ForwardPacket(len, data, packet, llc_forwarding_key);
}
Weird("undefined_vlan_protocol", packet);
return false;
}

5
src/packet_analysis/protocol/vlan/VLAN.h
View file

@ -20,6 +20,11 @@ public:
{
return std::make_shared<VLANAnalyzer>();
}
private:
zeek_uint_t snap_forwarding_key = 0;
zeek_uint_t novell_forwarding_key = 0;
zeek_uint_t llc_forwarding_key = 0;
};
}

9
testing/btest/Baseline/plugins.hooks/output
View file

@ -727,8 +727,11 @@
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 1, PacketAnalyzer::ANALYZER_SNAP)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 3, PacketAnalyzer::ANALYZER_LLC)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@ -2342,8 +2345,11 @@
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 1, PacketAnalyzer::ANALYZER_SNAP))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 3, PacketAnalyzer::ANALYZER_LLC))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 33024, PacketAnalyzer::ANALYZER_VLAN))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP))
@ -3956,8 +3962,11 @@
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 1, PacketAnalyzer::ANALYZER_SNAP)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 3, PacketAnalyzer::ANALYZER_LLC)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 33024, PacketAnalyzer::ANALYZER_VLAN)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP)