Add basic LLC, SNAP, and Novell 802.3 packet analyzers

scripts/base/packet-protocols/__load__.zeek

@@ -20,6 +20,9 @@
 @load base/packet-protocols/udp
 @load base/packet-protocols/tcp
 @load base/packet-protocols/icmp
+@load base/packet-protocols/llc
+@load base/packet-protocols/novell_802_3
+@load base/packet-protocols/snap
 
 @load base/packet-protocols/gre
 @load base/packet-protocols/iptunnel

scripts/base/packet-protocols/llc/__load__.zeek

@@ -0,0 +1 @@
+@load ./main

scripts/base/packet-protocols/llc/main.zeek

@@ -0,0 +1 @@
+module PacketAnalyzer::LLC;

scripts/base/packet-protocols/novell_802_3/__load__.zeek

@@ -0,0 +1 @@
+@load ./main

scripts/base/packet-protocols/novell_802_3/main.zeek

@@ -0,0 +1,6 @@
+module PacketAnalyzer::NOVELL_802_3;
+
+export {
+	# The Novell 802.3 protocol should expect an IPX analyzer here. Since
+	# one doesn't exist yet, the default analyzer is left undefined.
+}

scripts/base/packet-protocols/snap/__load__.zeek

@@ -0,0 +1 @@
+@load ./main

scripts/base/packet-protocols/snap/main.zeek

@@ -0,0 +1,9 @@
+module PacketAnalyzer::SNAP;
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 0x0800, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 0x86DD, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 0x0806, PacketAnalyzer::ANALYZER_ARP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 0x8035, PacketAnalyzer::ANALYZER_ARP);
+	}

src/packet_analysis/protocol/CMakeLists.txt

@@ -14,6 +14,9 @@ add_subdirectory(mpls)
 add_subdirectory(pbb)
 add_subdirectory(linux_sll)
 add_subdirectory(linux_sll2)
+add_subdirectory(llc)
+add_subdirectory(snap)
+add_subdirectory(novell_802_3)
 
 add_subdirectory(arp)
 add_subdirectory(ip)

src/packet_analysis/protocol/llc/CMakeLists.txt

@@ -0,0 +1,7 @@
+zeek_add_plugin(
+    PacketAnalyzer
+    LLC
+    SOURCES
+        LLC.cc
+        Plugin.cc
+)

src/packet_analysis/protocol/llc/LLC.cc

@@ -0,0 +1,34 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/llc/LLC.h"
+
+using namespace zeek::packet_analysis::LLC;
+
+LLCAnalyzer::LLCAnalyzer() : zeek::packet_analysis::Analyzer("LLC") { }
+
+bool LLCAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// An LLC header is at least 3 bytes, check for that first.
+	if ( len < 3 )
+		{
+		Weird("truncated_llc_header", packet);
+		return false;
+		}
+
+	// If the control field doesn't have an unnumbered PDU, the header is actually 4
+	// bytes long. Whether this is unnumbered is denoted by the last two bits being
+	// set.
+	int llc_header_len = 3;
+	if ( (data[2] & 0x03) != 0x03 )
+		llc_header_len++;
+
+	if ( len < llc_header_len )
+		{
+		Weird("truncated_llc_header", packet);
+		return false;
+		}
+
+	// The destination SAP should be the next protocol in the chain, so forward
+	// based on that value. The DSAP is the first byte in header.
+	return ForwardPacket(len, data, packet, data[0]);
+	}

src/packet_analysis/protocol/llc/LLC.h

@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::LLC
+	{
+
+class LLCAnalyzer : public Analyzer
+	{
+public:
+	LLCAnalyzer();
+	~LLCAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<LLCAnalyzer>();
+		}
+	};
+
+	}

src/packet_analysis/protocol/llc/Plugin.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/llc/LLC.h"
+
+namespace zeek::plugin::Zeek_LLC
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"LLC", zeek::packet_analysis::LLC::LLCAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::LLC";
+		config.description = "LLC packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}

src/packet_analysis/protocol/novell_802_3/CMakeLists.txt

@@ -0,0 +1,7 @@
+zeek_add_plugin(
+    PacketAnalyzer
+    Novell_802_3
+    SOURCES
+        Novell_802_3.cc
+        Plugin.cc
+)

src/packet_analysis/protocol/novell_802_3/Novell_802_3.cc

@@ -0,0 +1,14 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/novell_802_3/Novell_802_3.h"
+
+using namespace zeek::packet_analysis::Novell_802_3;
+
+Novell_802_3Analyzer::Novell_802_3Analyzer() : zeek::packet_analysis::Analyzer("Novell_802_3") { }
+
+bool Novell_802_3Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// Attempt to forward into the default analyzer, if one exists. This should be an IPX analyzer,
+	// but one doesn't exist yet.
+	return ForwardPacket(len, data, packet);
+	}

src/packet_analysis/protocol/novell_802_3/Novell_802_3.h

@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::Novell_802_3
+	{
+
+class Novell_802_3Analyzer : public Analyzer
+	{
+public:
+	Novell_802_3Analyzer();
+	~Novell_802_3Analyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<Novell_802_3Analyzer>();
+		}
+	};
+
+	}

src/packet_analysis/protocol/novell_802_3/Plugin.cc

@@ -0,0 +1,28 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/novell_802_3/Novell_802_3.h"
+
+namespace zeek::plugin::Zeek_Novell_802_3
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"NOVELL_802_3",
+			zeek::packet_analysis::Novell_802_3::Novell_802_3Analyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::NOVELL_802_3";
+		config.description = "Novell 802.3 variantx packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}

src/packet_analysis/protocol/snap/CMakeLists.txt

@@ -0,0 +1,7 @@
+zeek_add_plugin(
+    PacketAnalyzer
+    SNAP
+    SOURCES
+        SNAP.cc
+        Plugin.cc
+)

src/packet_analysis/protocol/snap/Plugin.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/snap/SNAP.h"
+
+namespace zeek::plugin::Zeek_SNAP
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"SNAP", zeek::packet_analysis::SNAP::SNAPAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::SNAP";
+		config.description = "SNAP packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}

src/packet_analysis/protocol/snap/SNAP.cc

@@ -0,0 +1,50 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/snap/SNAP.h"
+
+using namespace zeek::packet_analysis::SNAP;
+
+SNAPAnalyzer::SNAPAnalyzer() : zeek::packet_analysis::Analyzer("SNAP") { }
+
+bool SNAPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// The first part of the header is an LLC header, which we need to determine the
+	// length of the full header. Check to see if the shorter 3-byte version will fit.
+	if ( len < 3 )
+		{
+		Weird("truncated_snap_llc_header", packet);
+		return false;
+		}
+
+	// If the control field doesn't have an unnumbered PDU, the header is actually 4
+	// bytes long. Whether this is unnumbered is denoted by the last two bits being
+	// set.
+	int llc_header_len = 3;
+	if ( (data[2] & 0x03) != 0x03 )
+		llc_header_len++;
+
+	// Check the full length of the SNAP header, which is the LLC header plus 5 bytes.
+	if ( len < llc_header_len + 5 )
+		{
+		Weird("truncated_snap_header", packet);
+		return false;
+		}
+
+	data += llc_header_len;
+	len -= llc_header_len;
+
+	int oui = (data[0] << 16) | (data[1] << 8) | data[2];
+	int protocol = (data[3] << 8) | data[4];
+
+	data += 5;
+	len -= 5;
+
+	if ( oui == 0 )
+		{
+		// If the OUI is zero, the protocol is a standard ethertype and can be
+		// forwarded as such.
+		return ForwardPacket(len, data, packet, protocol);
+		}
+
+	return true;
+	}

src/packet_analysis/protocol/snap/SNAP.h

@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::SNAP
+	{
+
+class SNAPAnalyzer : public Analyzer
+	{
+public:
+	SNAPAnalyzer();
+	~SNAPAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<SNAPAnalyzer>();
+		}
+	};
+
+	}

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -69,6 +69,12 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/tcp/main.zeek
     scripts/base/packet-protocols/icmp/__load__.zeek
       scripts/base/packet-protocols/icmp/main.zeek
+    scripts/base/packet-protocols/llc/__load__.zeek
+      scripts/base/packet-protocols/llc/main.zeek
+    scripts/base/packet-protocols/novell_802_3/__load__.zeek
+      scripts/base/packet-protocols/novell_802_3/main.zeek
+    scripts/base/packet-protocols/snap/__load__.zeek
+      scripts/base/packet-protocols/snap/main.zeek
     scripts/base/packet-protocols/gre/__load__.zeek
       scripts/base/packet-protocols/gre/main.zeek
     scripts/base/packet-protocols/iptunnel/__load__.zeek

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -69,6 +69,12 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/tcp/main.zeek
     scripts/base/packet-protocols/icmp/__load__.zeek
       scripts/base/packet-protocols/icmp/main.zeek
+    scripts/base/packet-protocols/llc/__load__.zeek
+      scripts/base/packet-protocols/llc/main.zeek
+    scripts/base/packet-protocols/novell_802_3/__load__.zeek
+      scripts/base/packet-protocols/novell_802_3/main.zeek
+    scripts/base/packet-protocols/snap/__load__.zeek
+      scripts/base/packet-protocols/snap/main.zeek
     scripts/base/packet-protocols/gre/__load__.zeek
       scripts/base/packet-protocols/gre/main.zeek
     scripts/base/packet-protocols/iptunnel/__load__.zeek

testing/btest/Baseline/plugins.hooks/output

@@ -714,6 +714,10 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result>
@@ -1117,6 +1121,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/krb, <...>/krb) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/linux_sll, <...>/linux_sll) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/linux_sll2, <...>/linux_sll2) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/llc, <...>/llc) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging, <...>/logging) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/main, <...>/main.zeek) -> -1
@@ -1129,6 +1134,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/netcontrol, <...>/netcontrol) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/nflog, <...>/nflog) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/notice, <...>/notice) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/novell_802_3, <...>/novell_802_3) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ntlm, <...>/ntlm) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ntp, <...>/ntp) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/null, <...>/null) -> -1
@@ -1159,6 +1165,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/skip, <...>/skip) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/smb, <...>/smb) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/smtp, <...>/smtp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/snap, <...>/snap) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/snmp, <...>/snmp) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/socks, <...>/socks) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/software, <...>/software) -> -1
@@ -1507,6 +1514,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/krb, <...>/krb) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/linux_sll2, <...>/linux_sll2) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/llc, <...>/llc) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging, <...>/logging) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/main, <...>/main.zeek) -> (-1, <no content>)
@@ -1519,6 +1527,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/netcontrol, <...>/netcontrol) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/nflog, <...>/nflog) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/notice, <...>/notice) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/novell_802_3, <...>/novell_802_3) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ntlm, <...>/ntlm) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ntp, <...>/ntp) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/null, <...>/null) -> (-1, <no content>)
@@ -1549,6 +1558,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/skip, <...>/skip) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/smb, <...>/smb) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/smtp, <...>/smtp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/snap, <...>/snap) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/snmp, <...>/snmp) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/socks, <...>/socks) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/software, <...>/software) -> (-1, <no content>)
@@ -2316,6 +2326,10 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2048, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2054, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 32821, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 34525, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO))
@@ -2719,6 +2733,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/krb, <...>/krb)
 0.000000   MetaHookPre   LoadFile(0, base<...>/linux_sll, <...>/linux_sll)
 0.000000   MetaHookPre   LoadFile(0, base<...>/linux_sll2, <...>/linux_sll2)
+0.000000   MetaHookPre   LoadFile(0, base<...>/llc, <...>/llc)
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/main, <...>/main.zeek)
@@ -2731,6 +2746,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/netcontrol, <...>/netcontrol)
 0.000000   MetaHookPre   LoadFile(0, base<...>/nflog, <...>/nflog)
 0.000000   MetaHookPre   LoadFile(0, base<...>/notice, <...>/notice)
+0.000000   MetaHookPre   LoadFile(0, base<...>/novell_802_3, <...>/novell_802_3)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ntlm, <...>/ntlm)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ntp, <...>/ntp)
 0.000000   MetaHookPre   LoadFile(0, base<...>/null, <...>/null)
@@ -2761,6 +2777,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/skip, <...>/skip)
 0.000000   MetaHookPre   LoadFile(0, base<...>/smb, <...>/smb)
 0.000000   MetaHookPre   LoadFile(0, base<...>/smtp, <...>/smtp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/snap, <...>/snap)
 0.000000   MetaHookPre   LoadFile(0, base<...>/snmp, <...>/snmp)
 0.000000   MetaHookPre   LoadFile(0, base<...>/socks, <...>/socks)
 0.000000   MetaHookPre   LoadFile(0, base<...>/software, <...>/software)
@@ -3109,6 +3126,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/krb, <...>/krb)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/linux_sll2, <...>/linux_sll2)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/llc, <...>/llc)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/main, <...>/main.zeek)
@@ -3121,6 +3139,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/netcontrol, <...>/netcontrol)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/nflog, <...>/nflog)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/notice, <...>/notice)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/novell_802_3, <...>/novell_802_3)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ntlm, <...>/ntlm)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ntp, <...>/ntp)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/null, <...>/null)
@@ -3151,6 +3170,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/skip, <...>/skip)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/smb, <...>/smb)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/smtp, <...>/smtp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/snap, <...>/snap)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/snmp, <...>/snmp)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/socks, <...>/socks)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/software, <...>/software)
@@ -3917,6 +3937,10 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 2048, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 2054, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 32821, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 34525, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)
@@ -4332,6 +4356,7 @@
 0.000000 | HookLoadFile  base<...>/krb <...>/krb
 0.000000 | HookLoadFile  base<...>/linux_sll <...>/linux_sll
 0.000000 | HookLoadFile  base<...>/linux_sll2 <...>/linux_sll2
+0.000000 | HookLoadFile  base<...>/llc <...>/llc
 0.000000 | HookLoadFile  base<...>/logging <...>/logging
 0.000000 | HookLoadFile  base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFile  base<...>/main <...>/main.zeek
@@ -4344,6 +4369,7 @@
 0.000000 | HookLoadFile  base<...>/netcontrol <...>/netcontrol
 0.000000 | HookLoadFile  base<...>/nflog <...>/nflog
 0.000000 | HookLoadFile  base<...>/notice <...>/notice
+0.000000 | HookLoadFile  base<...>/novell_802_3 <...>/novell_802_3
 0.000000 | HookLoadFile  base<...>/ntlm <...>/ntlm
 0.000000 | HookLoadFile  base<...>/ntp <...>/ntp
 0.000000 | HookLoadFile  base<...>/null <...>/null
@@ -4374,6 +4400,7 @@
 0.000000 | HookLoadFile  base<...>/skip <...>/skip
 0.000000 | HookLoadFile  base<...>/smb <...>/smb
 0.000000 | HookLoadFile  base<...>/smtp <...>/smtp
+0.000000 | HookLoadFile  base<...>/snap <...>/snap
 0.000000 | HookLoadFile  base<...>/snmp <...>/snmp
 0.000000 | HookLoadFile  base<...>/socks <...>/socks
 0.000000 | HookLoadFile  base<...>/software <...>/software
@@ -4722,6 +4749,7 @@
 0.000000 | HookLoadFileExtended base<...>/krb <...>/krb
 0.000000 | HookLoadFileExtended base<...>/linux_sll <...>/linux_sll
 0.000000 | HookLoadFileExtended base<...>/linux_sll2 <...>/linux_sll2
+0.000000 | HookLoadFileExtended base<...>/llc <...>/llc
 0.000000 | HookLoadFileExtended base<...>/logging <...>/logging
 0.000000 | HookLoadFileExtended base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/main <...>/main.zeek
@@ -4734,6 +4762,7 @@
 0.000000 | HookLoadFileExtended base<...>/netcontrol <...>/netcontrol
 0.000000 | HookLoadFileExtended base<...>/nflog <...>/nflog
 0.000000 | HookLoadFileExtended base<...>/notice <...>/notice
+0.000000 | HookLoadFileExtended base<...>/novell_802_3 <...>/novell_802_3
 0.000000 | HookLoadFileExtended base<...>/ntlm <...>/ntlm
 0.000000 | HookLoadFileExtended base<...>/ntp <...>/ntp
 0.000000 | HookLoadFileExtended base<...>/null <...>/null
@@ -4764,6 +4793,7 @@
 0.000000 | HookLoadFileExtended base<...>/skip <...>/skip
 0.000000 | HookLoadFileExtended base<...>/smb <...>/smb
 0.000000 | HookLoadFileExtended base<...>/smtp <...>/smtp
+0.000000 | HookLoadFileExtended base<...>/snap <...>/snap
 0.000000 | HookLoadFileExtended base<...>/snmp <...>/snmp
 0.000000 | HookLoadFileExtended base<...>/socks <...>/socks
 0.000000 | HookLoadFileExtended base<...>/software <...>/software

testing/btest/Baseline/scripts.base.files.x509.files/files.log

@@ -7,10 +7,10 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256
 #types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string
-XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
-XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.snap.snap-arp/.stdout

@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log

@@ -189,7 +189,6 @@ XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_hash
-XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX x509_certificate
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
@@ -202,13 +201,13 @@ XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_ext_subject_alternative_name
+XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_state_remove
 XXXXXXXXXX.XXXXXX file_new
 XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_hash
-XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX x509_certificate
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
@@ -218,6 +217,7 @@ XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_state_remove
 XXXXXXXXXX.XXXXXX ssl_handshake_message
 XXXXXXXXXX.XXXXXX ssl_handshake_message

testing/btest/scripts/base/protocols/snap/snap-arp.test

@@ -0,0 +1,12 @@
+# @TEST-EXEC: zeek -b -r $TRACES/snap-arp.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}