From 368dec837206ddf893a5d6599481328641816295 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 6 Dec 2021 12:24:42 -0700
Subject: [PATCH] GH-1764: Update mappings for Geneve analyzer to IP4/IP6/ARP

---
 scripts/base/packet-protocols/geneve/main.zeek | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/scripts/base/packet-protocols/geneve/main.zeek b/scripts/base/packet-protocols/geneve/main.zeek
index 1131deac1d..d70055925b 100644
--- a/scripts/base/packet-protocols/geneve/main.zeek
+++ b/scripts/base/packet-protocols/geneve/main.zeek
@@ -19,4 +19,9 @@ event zeek_init() &priority=20
 	# https://datatracker.ietf.org/doc/html/draft-gross-geneve-00#section-3.4
 	# for details.
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x6558, PacketAnalyzer::ANALYZER_ETHERNET);
+
+	# Some additional mappings for protocols that we already handle natively.
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x0800, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x08DD, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x0808, PacketAnalyzer::ANALYZER_ARP);
 	}