Packet analysis cleanup.

2025-10-05 08:08:19 +00:00 · 2020-09-22 15:07:41 +02:00 · 2020-09-22 15:07:41 +02:00 · 8d834a1d89
commit 8d834a1d89
parent 62562504d5
7 changed files with 21 additions and 39 deletions
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -802,7 +802,7 @@ void NetSessions::DoNextInnerPacket(double t, const Packet* pkt,
 	Packet p;
 	p.Init(link_type, &ts, caplen, len, data, false, "");

-	if ( p.Layer2Valid() && (p.l3_proto == L3_IPV4 || p.l3_proto == L3_IPV6) )
+	if ( p.l2_valid && (p.l3_proto == L3_IPV4 || p.l3_proto == L3_IPV6) )
 		{
 		auto inner = p.IP();
 		DoNextPacket(t, &p, &inner, outer);
--- a/src/analyzer/protocol/vxlan/VXLAN.cc
+++ b/src/analyzer/protocol/vxlan/VXLAN.cc
@ -65,7 +65,7 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 	ts.tv_usec = (suseconds_t) ((run_state::current_timestamp - (double)ts.tv_sec) * 1000000);
 	Packet pkt(DLT_EN10MB, &ts, caplen, len, data);

-	if ( ! pkt.Layer2Valid() )
+	if ( ! pkt.l2_valid )
 		{
 		ProtocolViolation("VXLAN invalid inner ethernet frame",
 		                  (const char*) data, len);
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@ -78,7 +78,7 @@ void Packet::Weird(const char* name)
 	sessions->Weird(name, this);
 	}

-IntrusivePtr<RecordVal> Packet::ToRawPktHdrVal() const
+RecordValPtr Packet::ToRawPktHdrVal() const
 	{
 	static auto raw_pkt_hdr_type = id::find_type<RecordType>("raw_pkt_hdr");
 	static auto l2_hdr_type = id::find_type<RecordType>("l2_hdr");
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@ -116,23 +116,6 @@ public:
 		uint32_t len, const u_char *data, bool copy = false,
 		std::string tag = std::string(""));

-	/**
-	 * Returns true if parsing the layer 2 fields failed, including when
-	 * no data was passed into the constructor in the first place.
-	 */
-	bool Layer2Valid() const
-		{
-		return l2_valid;
-		}
-
-	/**
-	 * Signals that the processing of layer 2 failed.
-	 */
-	void InvalidateLayer2()
-		{
-		l2_valid = false;
-		}
-
 	/**
 	 * Interprets the Layer 3 of the packet as IP and returns a
 	 * corresponding object.
@ -169,46 +152,47 @@ public:
 	uint32_t cap_len;		/// Captured packet length
 	uint32_t link_type;		/// pcap link_type (DLT_EN10MB, DLT_RAW, etc)

+	// True if L2 processing succeeded. If data is set on initialization of
+	// the packet, L2 is assumed to be valid. The packet manager will then
+	// process the packet and set l2_valid to False if the analysis failed.
+	bool l2_valid;
+
 	// These are computed from Layer 2 data. These fields are only valid if
-	// Layer2Valid() returns true.
+	// l2_valid returns true.

 	/**
-	 * Layer 2 header size. Valid iff Layer2Valid() returns true.
+	 * Layer 2 header size. Valid iff l2_valid is true.
 	 */
 	uint32_t hdr_size;

 	/**
-	 * Layer 3 protocol identified (if any). Valid iff Layer2Valid()
-	 * returns true.
+	 * Layer 3 protocol identified (if any). Valid iff l2_valid is true.
 	 */
 	Layer3Proto l3_proto;

 	/**
 	 * If layer 2 is Ethernet, innermost ethertype field. Valid iff
-	 * Layer2Valid() returns true.
+	 * l2_valid is true.
 	 */
 	uint32_t eth_type;

 	/**
-	 * Layer 2 source address. Valid iff Layer2Valid() returns true.
+	 * Layer 2 source address. Valid iff l2_valid is true.
 	 */
 	const u_char* l2_src;

 	/**
-	 * Layer 2 destination address. Valid iff Layer2Valid() returns
-	 * true.
+	 * Layer 2 destination address. Valid iff l2_valid is true.
 	 */
 	const u_char* l2_dst;

 	/**
-	 * (Outermost) VLAN tag if any, else 0. Valid iff Layer2Valid()
-	 * returns true.
+	 * (Outermost) VLAN tag if any, else 0. Valid iff l2_valid is true.
 	 */
 	uint32_t vlan;

 	/**
-	 * (Innermost) VLAN tag if any, else 0. Valid iff Layer2Valid()
-	 * returns true.
+	 * (Innermost) VLAN tag if any, else 0. Valid iff l2_valid is true.
 	 */
 	uint32_t inner_vlan;

@ -245,9 +229,6 @@ private:
 	// True if we need to delete associated packet memory upon
 	// destruction.
 	bool copy;
-
-	// True if L2 processing succeeded.
-	bool l2_valid;
 };

 } // namespace zeek
--- a/src/iosource/PktSrc.cc
+++ b/src/iosource/PktSrc.cc
@ -189,7 +189,7 @@ void PktSrc::Process()
 	if ( ! ExtractNextPacketInternal() )
 		return;

-	if ( current_packet.Layer2Valid() )
+	if ( current_packet.l2_valid )
 		{
 		if ( run_state::pseudo_realtime )
 			{
--- a/src/packet_analysis/Manager.cc
+++ b/src/packet_analysis/Manager.cc
@ -70,8 +70,8 @@ void Manager::ProcessPacket(Packet* packet)
 	DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time);
 #endif
 	// Start packet analysis
-	if ( ! root_analyzer->ForwardPacket(packet->cap_len, packet->data, packet, packet->link_type) )
-		packet->InvalidateLayer2();
+	packet->l2_valid = root_analyzer->ForwardPacket(packet->cap_len, packet->data,
+			packet, packet->link_type);
 	}

 AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag)
--- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc
+++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc
@ -18,7 +18,8 @@ bool LinuxSLLAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 		return false;
 		}

-	//TODO: Handle different ARPHRD_types
+	// Note: We assume to see an Ethertype and don't consider different ARPHRD_types
+	// (see https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html)
 	auto hdr = (const SLLHeader*)data;

 	uint32_t protocol = ntohs(hdr->protocol_type);