diff --git a/src/Sessions.cc b/src/Sessions.cc index 7dd33362a9..418e154a9e 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -802,7 +802,7 @@ void NetSessions::DoNextInnerPacket(double t, const Packet* pkt, Packet p; p.Init(link_type, &ts, caplen, len, data, false, ""); - if ( p.Layer2Valid() && (p.l3_proto == L3_IPV4 || p.l3_proto == L3_IPV6) ) + if ( p.l2_valid && (p.l3_proto == L3_IPV4 || p.l3_proto == L3_IPV6) ) { auto inner = p.IP(); DoNextPacket(t, &p, &inner, outer); diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc index 7fde0ce5ef..a28fe45798 100644 --- a/src/analyzer/protocol/vxlan/VXLAN.cc +++ b/src/analyzer/protocol/vxlan/VXLAN.cc @@ -65,7 +65,7 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, ts.tv_usec = (suseconds_t) ((run_state::current_timestamp - (double)ts.tv_sec) * 1000000); Packet pkt(DLT_EN10MB, &ts, caplen, len, data); - if ( ! pkt.Layer2Valid() ) + if ( ! pkt.l2_valid ) { ProtocolViolation("VXLAN invalid inner ethernet frame", (const char*) data, len); diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 3d530fea3b..d8e985d153 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -78,7 +78,7 @@ void Packet::Weird(const char* name) sessions->Weird(name, this); } -IntrusivePtr Packet::ToRawPktHdrVal() const +RecordValPtr Packet::ToRawPktHdrVal() const { static auto raw_pkt_hdr_type = id::find_type("raw_pkt_hdr"); static auto l2_hdr_type = id::find_type("l2_hdr"); diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index fe1968038f..ecb98ad7ea 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -116,23 +116,6 @@ public: uint32_t len, const u_char *data, bool copy = false, std::string tag = std::string("")); - /** - * Returns true if parsing the layer 2 fields failed, including when - * no data was passed into the constructor in the first place. - */ - bool Layer2Valid() const - { - return l2_valid; - } - - /** - * Signals that the processing of layer 2 failed. - */ - void InvalidateLayer2() - { - l2_valid = false; - } - /** * Interprets the Layer 3 of the packet as IP and returns a * corresponding object. @@ -169,46 +152,47 @@ public: uint32_t cap_len; /// Captured packet length uint32_t link_type; /// pcap link_type (DLT_EN10MB, DLT_RAW, etc) + // True if L2 processing succeeded. If data is set on initialization of + // the packet, L2 is assumed to be valid. The packet manager will then + // process the packet and set l2_valid to False if the analysis failed. + bool l2_valid; + // These are computed from Layer 2 data. These fields are only valid if - // Layer2Valid() returns true. + // l2_valid returns true. /** - * Layer 2 header size. Valid iff Layer2Valid() returns true. + * Layer 2 header size. Valid iff l2_valid is true. */ uint32_t hdr_size; /** - * Layer 3 protocol identified (if any). Valid iff Layer2Valid() - * returns true. + * Layer 3 protocol identified (if any). Valid iff l2_valid is true. */ Layer3Proto l3_proto; /** * If layer 2 is Ethernet, innermost ethertype field. Valid iff - * Layer2Valid() returns true. + * l2_valid is true. */ uint32_t eth_type; /** - * Layer 2 source address. Valid iff Layer2Valid() returns true. + * Layer 2 source address. Valid iff l2_valid is true. */ const u_char* l2_src; /** - * Layer 2 destination address. Valid iff Layer2Valid() returns - * true. + * Layer 2 destination address. Valid iff l2_valid is true. */ const u_char* l2_dst; /** - * (Outermost) VLAN tag if any, else 0. Valid iff Layer2Valid() - * returns true. + * (Outermost) VLAN tag if any, else 0. Valid iff l2_valid is true. */ uint32_t vlan; /** - * (Innermost) VLAN tag if any, else 0. Valid iff Layer2Valid() - * returns true. + * (Innermost) VLAN tag if any, else 0. Valid iff l2_valid is true. */ uint32_t inner_vlan; @@ -245,9 +229,6 @@ private: // True if we need to delete associated packet memory upon // destruction. bool copy; - - // True if L2 processing succeeded. - bool l2_valid; }; } // namespace zeek diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc index 519c6da81e..38fb51cefb 100644 --- a/src/iosource/PktSrc.cc +++ b/src/iosource/PktSrc.cc @@ -189,7 +189,7 @@ void PktSrc::Process() if ( ! ExtractNextPacketInternal() ) return; - if ( current_packet.Layer2Valid() ) + if ( current_packet.l2_valid ) { if ( run_state::pseudo_realtime ) { diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 62574e7f8f..4229bfb33a 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -70,8 +70,8 @@ void Manager::ProcessPacket(Packet* packet) DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); #endif // Start packet analysis - if ( ! root_analyzer->ForwardPacket(packet->cap_len, packet->data, packet, packet->link_type) ) - packet->InvalidateLayer2(); + packet->l2_valid = root_analyzer->ForwardPacket(packet->cap_len, packet->data, + packet, packet->link_type); } AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag) diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc index c924b7233d..9f3dd25787 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc @@ -18,7 +18,8 @@ bool LinuxSLLAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa return false; } - //TODO: Handle different ARPHRD_types + // Note: We assume to see an Ethertype and don't consider different ARPHRD_types + // (see https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html) auto hdr = (const SLLHeader*)data; uint32_t protocol = ntohs(hdr->protocol_type);