From ef7e714afd616a55565264d899174b7c8519ea10 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Tue, 25 Apr 2023 11:09:25 +0200
Subject: [PATCH 1/3] Update AF-Packet submodule

* Mask VLAN ID from tp_vlan_tci field to fix vlan > 4095 reported by Zeek
  when PCP and/or DEI bits are set.
* Descriptive error message when interface is down. Instead of
  "Invalid argument", Zeek now reports "interface is down".
---
 NEWS                        | 4 ++++
 auxil/zeek-af_packet-plugin | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 4bc028a35b..cb2d946cae 100644
--- a/NEWS
+++ b/NEWS
@@ -277,6 +277,10 @@ Changed Functionality
 - The IRC base script now use ``file_sniff()`` instead of ``file_new()`` for
   DCC file transfers to capture ``fuid`` and inferred MIME type in irc.log.
 
+- The vlan field reported by the AF_PACKET packet source is now properly
+  masked to exclude PCP and DEI bits. Previously, these bits were included
+  and could cause invalid vlan values > 4095 to be reported.
+
 Removed Functionality
 ---------------------
 
diff --git a/auxil/zeek-af_packet-plugin b/auxil/zeek-af_packet-plugin
index 08935a1b93..225c47357d 160000
--- a/auxil/zeek-af_packet-plugin
+++ b/auxil/zeek-af_packet-plugin
@@ -1 +1 @@
-Subproject commit 08935a1b93a2d7710d748737e5e653934977a9cf
+Subproject commit 225c47357dabb8bdb280071343c0f58ad0ea1019

From aaf68a4e2c4e5afe0a6f84cf097e0acb8e27559f Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Tue, 25 Apr 2023 11:51:28 +0200
Subject: [PATCH 2/3] btest: Add af_packet to TestDirs

---
 testing/btest/btest.cfg | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index 447715534d..d1714544dc 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -4,7 +4,7 @@
 build_dir = build
 
 [btest]
-TestDirs    = doc bifs language core scripts coverage signatures plugins broker spicy supervisor telemetry javascript
+TestDirs    = af_packet doc bifs language core scripts coverage signatures plugins broker spicy supervisor telemetry javascript
 TmpDir      = %(testbase)s/.tmp
 BaselineDir = %(testbase)s/Baseline
 IgnoreDirs  = .svn CVS .tmp

From cc7e35b39ac0cd581efb3f8738c302f1e467aa8d Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Wed, 26 Apr 2023 15:36:48 +0200
Subject: [PATCH 3/3] Update AF-Packet submodule

Include Tim's cleanup and modernization fixes, too.
---
 auxil/zeek-af_packet-plugin | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/zeek-af_packet-plugin b/auxil/zeek-af_packet-plugin
index 225c47357d..acd8e365c6 160000
--- a/auxil/zeek-af_packet-plugin
+++ b/auxil/zeek-af_packet-plugin
@@ -1 +1 @@
-Subproject commit 225c47357dabb8bdb280071343c0f58ad0ea1019
+Subproject commit acd8e365c652ea6113b70fbbb1339d42e496819d