From 479c4be08b73fa9682fcfe566f57a692c25b8e5f Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Thu, 6 Mar 2025 09:25:03 -0700 Subject: [PATCH] Set ip_proto when creating new tunnel encapsulations --- src/TunnelEncapsulation.h | 15 +++++++++---- .../protocol/iptunnel/IPTunnel.cc | 3 ++- .../core.tunnels.gre-erspan3-dot1q/out | 2 +- .../Baseline/core.tunnels.ip-in-ip/output | 16 +++++++------- .../core.tunnels.ip-tunnel-uid/output | 22 +++++++++---------- 5 files changed, 33 insertions(+), 25 deletions(-) diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h index dddca6ca90..3693e28172 100644 --- a/src/TunnelEncapsulation.h +++ b/src/TunnelEncapsulation.h @@ -40,15 +40,22 @@ public: * @param d The tunnel destination address, likely taken from an IP header. * @param t The type of IP tunnel. */ - EncapsulatingConn(const IPAddr& s, const IPAddr& d, BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP) + EncapsulatingConn(const IPAddr& s, const IPAddr& d, BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP, + uint16_t ip_proto = UNKNOWN_IP_PROTO) : src_addr(s), dst_addr(d), src_port(0), dst_port(0), - proto(TRANSPORT_UNKNOWN), - ip_proto(UNKNOWN_IP_PROTO), + ip_proto(ip_proto), type(t), - uid(UID(detail::bits_per_uid)) {} + uid(UID(detail::bits_per_uid)) { + switch ( ip_proto ) { + case IPPROTO_ICMP: proto = TRANSPORT_ICMP; break; + case IPPROTO_UDP: proto = TRANSPORT_UDP; break; + case IPPROTO_TCP: proto = TRANSPORT_TCP; break; + default: proto = TRANSPORT_UNKNOWN; break; + } + } /** * Construct a tunnel connection using information from an already existing diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc index 80d9bef0c7..a6330fff2d 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc @@ -60,7 +60,8 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa IPTunnelMap::iterator tunnel_it = ip_tunnels.find(tunnel_idx); if ( tunnel_it == ip_tunnels.end() ) { - EncapsulatingConn ec(packet->ip_hdr->SrcAddr(), packet->ip_hdr->DstAddr(), tunnel_type); + EncapsulatingConn ec(packet->ip_hdr->SrcAddr(), packet->ip_hdr->DstAddr(), tunnel_type, + packet->ip_hdr->NextProto()); ip_tunnels[tunnel_idx] = TunnelActivity(ec, run_state::network_time); zeek::detail::timer_mgr->Add(new detail::IPTunnelTimer(run_state::network_time, tunnel_idx, this)); } diff --git a/testing/btest/Baseline/core.tunnels.gre-erspan3-dot1q/out b/testing/btest/Baseline/core.tunnels.gre-erspan3-dot1q/out index 6a3f8dd026..90d4288ed8 100644 --- a/testing/btest/Baseline/core.tunnels.gre-erspan3-dot1q/out +++ b/testing/btest/Baseline/core.tunnels.gre-erspan3-dot1q/out @@ -2,5 +2,5 @@ echo request, 43, 4 echo reply, 43, 4 [orig_h=172.31.10.31, orig_p=8/icmp, resp_h=172.31.10.2, resp_p=0/icmp, proto=1] -[[cid=[orig_h=172.31.1.23, orig_p=0/unknown, resp_h=172.31.1.135, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::GRE, uid=CHhAvVGS1DHFjwGM9]] +[[cid=[orig_h=172.31.1.23, orig_p=0/unknown, resp_h=172.31.1.135, resp_p=0/unknown, proto=47], tunnel_type=Tunnel::GRE, uid=CHhAvVGS1DHFjwGM9]] vlans 10, nil diff --git a/testing/btest/Baseline/core.tunnels.ip-in-ip/output b/testing/btest/Baseline/core.tunnels.ip-in-ip/output index 2c8960fd7c..37960f00a2 100644 --- a/testing/btest/Baseline/core.tunnels.ip-in-ip/output +++ b/testing/btest/Baseline/core.tunnels.ip-in-ip/output @@ -1,23 +1,23 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. new_connection: tunnel conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] - encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] new_connection: tunnel conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] - encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=ClEkJM2Vm5giqnMf4h]] + encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=ClEkJM2Vm5giqnMf4h]] new_connection: tunnel conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] - encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] new_connection: tunnel conn_id: [orig_h=70.55.213.211, orig_p=31337/tcp, resp_h=192.88.99.1, resp_p=80/tcp, proto=6] - encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown, proto=4], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] new_connection: tunnel conn_id: [orig_h=10.0.0.1, orig_p=30000/udp, resp_h=10.0.0.2, resp_p=13000/udp, proto=17] - encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=4], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] new_connection: tunnel conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] - encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] tunnel_changed: conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] - old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] - new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=C4J4Th3PJpwUYZZ6gc]] + old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=C4J4Th3PJpwUYZZ6gc]] diff --git a/testing/btest/Baseline/core.tunnels.ip-tunnel-uid/output b/testing/btest/Baseline/core.tunnels.ip-tunnel-uid/output index 619e0d5a7a..022940d99f 100644 --- a/testing/btest/Baseline/core.tunnels.ip-tunnel-uid/output +++ b/testing/btest/Baseline/core.tunnels.ip-tunnel-uid/output @@ -1,34 +1,34 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. new_connection: tunnel conn_id: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]