Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 00:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add forwarding from VLAN analyzer into LLC, SNAP, and Novell 802.3 analyzers

Browse source
This commit is contained in:
Tim Wojtulewicz 2023-04-19 10:40:44 -07:00 committed by Tim Wojtulewicz
parent c5b8603218
commit 7aa7909c94
4 changed files with 63 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

37
src/packet_analysis/protocol/vlan/VLAN.cc
View file

@ -4,7 +4,12 @@
using namespace zeek::packet_analysis::VLAN;
VLANAnalyzer::VLANAnalyzer() : zeek::packet_analysis::Analyzer("VLAN") { }
VLANAnalyzer::VLANAnalyzer() : zeek::packet_analysis::Analyzer("VLAN")
{
snap_forwarding_key = id::find_val("PacketAnalyzer::VLAN::SNAP_FORWARDING_KEY")->AsCount();
novell_forwarding_key = id::find_val("PacketAnalyzer::VLAN::NOVELL_FORWARDING_KEY")->AsCount();
llc_forwarding_key = id::find_val("PacketAnalyzer::VLAN::LLC_FORWARDING_KEY")->AsCount();
}
bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
@ -17,8 +22,32 @@ bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet
auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan;
vlan_ref = ((data[0] << 8u) + data[1]) & 0xfff;
// Get the protocol/length field from the last 2 bytes of the header.
uint32_t protocol = ((data[2] << 8u) + data[3]);
packet->eth_type = protocol;
// Skip the VLAN header
return ForwardPacket(len - 4, data + 4, packet, protocol);
if ( protocol >= 1536 )
{
packet->eth_type = protocol;
// Skip the VLAN header
return ForwardPacket(len - 4, data + 4, packet, protocol);
}
if ( protocol <= 1500 )
{
// We use magic numbers here to denote the protocols for the forwarding. We know these
// numbers should be valid because any others used should be > 1500, as above.
if ( data[0] == 0xAA && data[1] == 0xAA )
// IEEE 802.2 SNAP
return ForwardPacket(len, data, packet, snap_forwarding_key);
else if ( data[0] == 0xFF && data[1] == 0xFF )
// Novell raw IEEE 802.3
return ForwardPacket(len, data, packet, novell_forwarding_key);
else
// IEEE 802.2 LLC
return ForwardPacket(len, data, packet, llc_forwarding_key);
}
Weird("undefined_vlan_protocol", packet);
return false;
}

5
src/packet_analysis/protocol/vlan/VLAN.h
View file

@ -20,6 +20,11 @@ public:
{
return std::make_shared<VLANAnalyzer>();
}
private:
zeek_uint_t snap_forwarding_key = 0;
zeek_uint_t novell_forwarding_key = 0;
zeek_uint_t llc_forwarding_key = 0;
};
}