Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Change to store data in packet directly instead of keystore

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-09-30 17:19:31 -07:00
parent d0ef05c748
commit 7d2c35174f
5 changed files with 36 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/packet_analysis/protocol/ip/IP.cc
View file

@ -30,10 +30,7 @@ IPAnalyzer::~IPAnalyzer()
bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
EncapsulationStack* encapsulation = nullptr;
auto it = packet->key_store.find("encap");
if ( it != packet->key_store.end() )
encapsulation = std::any_cast<EncapsulationStack*>(it->second);
EncapsulationStack* encapsulation = packet->encap;
// Check to make sure we have enough data left for an IP header to be here. Note we only
// check ipv4 here. We'll check ipv6 later once we determine we have an ipv6 header.
@ -53,6 +50,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
auto ip = (const struct ip *)data;
uint32_t protocol = ip->ip_v;
// This is a unique pointer because of the mass of early returns from this method.
std::unique_ptr<IP_Hdr> ip_hdr = nullptr;
if ( protocol == 4 )
{
@ -254,8 +252,8 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
break;
default:
// The tunnel analyzer needs this data.
packet->key_store["ip_hdr"] = ip_hdr.get();
packet->key_store["proto"] = proto;
packet->ip_hdr = ip_hdr.get();
packet->proto = proto;
// For everything else, pass it on to another analyzer. If there's no one to handle that,
// it'll report a Weird.