Add basic LLC, SNAP, and Novell 802.3 packet analyzers

src/packet_analysis/protocol/CMakeLists.txt

@@ -14,6 +14,9 @@ add_subdirectory(mpls)
 add_subdirectory(pbb)
 add_subdirectory(linux_sll)
 add_subdirectory(linux_sll2)
+add_subdirectory(llc)
+add_subdirectory(snap)
+add_subdirectory(novell_802_3)
 
 add_subdirectory(arp)
 add_subdirectory(ip)

src/packet_analysis/protocol/llc/CMakeLists.txt

@@ -0,0 +1,7 @@
+zeek_add_plugin(
+    PacketAnalyzer
+    LLC
+    SOURCES
+        LLC.cc
+        Plugin.cc
+)

src/packet_analysis/protocol/llc/LLC.cc

@@ -0,0 +1,34 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/llc/LLC.h"
+
+using namespace zeek::packet_analysis::LLC;
+
+LLCAnalyzer::LLCAnalyzer() : zeek::packet_analysis::Analyzer("LLC") { }
+
+bool LLCAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// An LLC header is at least 3 bytes, check for that first.
+	if ( len < 3 )
+		{
+		Weird("truncated_llc_header", packet);
+		return false;
+		}
+
+	// If the control field doesn't have an unnumbered PDU, the header is actually 4
+	// bytes long. Whether this is unnumbered is denoted by the last two bits being
+	// set.
+	int llc_header_len = 3;
+	if ( (data[2] & 0x03) != 0x03 )
+		llc_header_len++;
+
+	if ( len < llc_header_len )
+		{
+		Weird("truncated_llc_header", packet);
+		return false;
+		}
+
+	// The destination SAP should be the next protocol in the chain, so forward
+	// based on that value. The DSAP is the first byte in header.
+	return ForwardPacket(len, data, packet, data[0]);
+	}

src/packet_analysis/protocol/llc/LLC.h

@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::LLC
+	{
+
+class LLCAnalyzer : public Analyzer
+	{
+public:
+	LLCAnalyzer();
+	~LLCAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<LLCAnalyzer>();
+		}
+	};
+
+	}

src/packet_analysis/protocol/llc/Plugin.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/llc/LLC.h"
+
+namespace zeek::plugin::Zeek_LLC
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"LLC", zeek::packet_analysis::LLC::LLCAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::LLC";
+		config.description = "LLC packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}

src/packet_analysis/protocol/novell_802_3/CMakeLists.txt

@@ -0,0 +1,7 @@
+zeek_add_plugin(
+    PacketAnalyzer
+    Novell_802_3
+    SOURCES
+        Novell_802_3.cc
+        Plugin.cc
+)

src/packet_analysis/protocol/novell_802_3/Novell_802_3.cc

@@ -0,0 +1,14 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/novell_802_3/Novell_802_3.h"
+
+using namespace zeek::packet_analysis::Novell_802_3;
+
+Novell_802_3Analyzer::Novell_802_3Analyzer() : zeek::packet_analysis::Analyzer("Novell_802_3") { }
+
+bool Novell_802_3Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// Attempt to forward into the default analyzer, if one exists. This should be an IPX analyzer,
+	// but one doesn't exist yet.
+	return ForwardPacket(len, data, packet);
+	}

src/packet_analysis/protocol/novell_802_3/Novell_802_3.h

@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::Novell_802_3
+	{
+
+class Novell_802_3Analyzer : public Analyzer
+	{
+public:
+	Novell_802_3Analyzer();
+	~Novell_802_3Analyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<Novell_802_3Analyzer>();
+		}
+	};
+
+	}

src/packet_analysis/protocol/novell_802_3/Plugin.cc

@@ -0,0 +1,28 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/novell_802_3/Novell_802_3.h"
+
+namespace zeek::plugin::Zeek_Novell_802_3
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"NOVELL_802_3",
+			zeek::packet_analysis::Novell_802_3::Novell_802_3Analyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::NOVELL_802_3";
+		config.description = "Novell 802.3 variantx packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}

src/packet_analysis/protocol/snap/CMakeLists.txt

@@ -0,0 +1,7 @@
+zeek_add_plugin(
+    PacketAnalyzer
+    SNAP
+    SOURCES
+        SNAP.cc
+        Plugin.cc
+)

src/packet_analysis/protocol/snap/Plugin.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/snap/SNAP.h"
+
+namespace zeek::plugin::Zeek_SNAP
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"SNAP", zeek::packet_analysis::SNAP::SNAPAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::SNAP";
+		config.description = "SNAP packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}

src/packet_analysis/protocol/snap/SNAP.cc

@@ -0,0 +1,50 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/snap/SNAP.h"
+
+using namespace zeek::packet_analysis::SNAP;
+
+SNAPAnalyzer::SNAPAnalyzer() : zeek::packet_analysis::Analyzer("SNAP") { }
+
+bool SNAPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// The first part of the header is an LLC header, which we need to determine the
+	// length of the full header. Check to see if the shorter 3-byte version will fit.
+	if ( len < 3 )
+		{
+		Weird("truncated_snap_llc_header", packet);
+		return false;
+		}
+
+	// If the control field doesn't have an unnumbered PDU, the header is actually 4
+	// bytes long. Whether this is unnumbered is denoted by the last two bits being
+	// set.
+	int llc_header_len = 3;
+	if ( (data[2] & 0x03) != 0x03 )
+		llc_header_len++;
+
+	// Check the full length of the SNAP header, which is the LLC header plus 5 bytes.
+	if ( len < llc_header_len + 5 )
+		{
+		Weird("truncated_snap_header", packet);
+		return false;
+		}
+
+	data += llc_header_len;
+	len -= llc_header_len;
+
+	int oui = (data[0] << 16) | (data[1] << 8) | data[2];
+	int protocol = (data[3] << 8) | data[4];
+
+	data += 5;
+	len -= 5;
+
+	if ( oui == 0 )
+		{
+		// If the OUI is zero, the protocol is a standard ethertype and can be
+		// forwarded as such.
+		return ForwardPacket(len, data, packet, protocol);
+		}
+
+	return true;
+	}

src/packet_analysis/protocol/snap/SNAP.h

@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::SNAP
+	{
+
+class SNAPAnalyzer : public Analyzer
+	{
+public:
+	SNAPAnalyzer();
+	~SNAPAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<SNAPAnalyzer>();
+		}
+	};
+
+	}