diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 3efb1180da..b408586873 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -5350,7 +5350,7 @@ export { ## If it is not included, the identifier will attach to the "root" analyzer. The ## root analyzer uses the link layer identifier provided by the packet source to ## determine the protocol for the initial packet header. - parent : PacketAnalyzer::Tag &optional; + parent : PacketAnalyzer::Tag; ## A numeric identifier, which can be found in the packet data, that denotes the ## encapsulated protocol. This field is optional. If it is not included, the diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek index 9c8e3631cf..170e4a7d6e 100644 --- a/scripts/base/packet-protocols/ethernet/main.zeek +++ b/scripts/base/packet-protocols/ethernet/main.zeek @@ -12,7 +12,7 @@ export { const DLT_EN10MB : count = 1; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_EN10MB, $analyzer=PacketAnalyzer::ANALYZER_ETHERNET), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_EN10MB, $analyzer=PacketAnalyzer::ANALYZER_ETHERNET), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), diff --git a/scripts/base/packet-protocols/fddi/main.zeek b/scripts/base/packet-protocols/fddi/main.zeek index 229846dab6..10d885ee84 100644 --- a/scripts/base/packet-protocols/fddi/main.zeek +++ b/scripts/base/packet-protocols/fddi/main.zeek @@ -3,6 +3,6 @@ module PacketAnalyzer::FDDI; const DLT_FDDI : count = 10; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_FDDI, $analyzer=PacketAnalyzer::ANALYZER_IP) }; diff --git a/scripts/base/packet-protocols/ieee802_11/main.zeek b/scripts/base/packet-protocols/ieee802_11/main.zeek index 21123cd719..292e26b34b 100644 --- a/scripts/base/packet-protocols/ieee802_11/main.zeek +++ b/scripts/base/packet-protocols/ieee802_11/main.zeek @@ -3,7 +3,7 @@ module PacketAnalyzer::IEEE802_11; const DLT_IEEE802_11 : count = 105; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), diff --git a/scripts/base/packet-protocols/ieee802_11_radio/main.zeek b/scripts/base/packet-protocols/ieee802_11_radio/main.zeek index 8c369d0183..13c0cbe618 100644 --- a/scripts/base/packet-protocols/ieee802_11_radio/main.zeek +++ b/scripts/base/packet-protocols/ieee802_11_radio/main.zeek @@ -4,6 +4,6 @@ const DLT_IEEE802_11_RADIO : count = 127; const DLT_IEEE802_11 : count = 105; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_IEEE802_11_RADIO, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_IEEE802_11_RADIO, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, $identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11) }; diff --git a/scripts/base/packet-protocols/ip/main.zeek b/scripts/base/packet-protocols/ip/main.zeek index 4c9d2c2740..6731bddb29 100644 --- a/scripts/base/packet-protocols/ip/main.zeek +++ b/scripts/base/packet-protocols/ip/main.zeek @@ -1,7 +1,7 @@ module PacketAnalyzer::IP; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($analyzer=PacketAnalyzer::ANALYZER_IP), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $analyzer=PacketAnalyzer::ANALYZER_IP), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) }; diff --git a/scripts/base/packet-protocols/linux_sll/main.zeek b/scripts/base/packet-protocols/linux_sll/main.zeek index d5c9708556..ce693f6625 100644 --- a/scripts/base/packet-protocols/linux_sll/main.zeek +++ b/scripts/base/packet-protocols/linux_sll/main.zeek @@ -3,7 +3,7 @@ module PacketAnalyzer::LINUX_SLL; const DLT_LINUX_SLL : count = 113; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_LINUX_SLL, $analyzer=PacketAnalyzer::ANALYZER_LINUXSLL), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_LINUX_SLL, $analyzer=PacketAnalyzer::ANALYZER_LINUXSLL), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), diff --git a/scripts/base/packet-protocols/nflog/main.zeek b/scripts/base/packet-protocols/nflog/main.zeek index 50edf4b514..d5da9f47c8 100644 --- a/scripts/base/packet-protocols/nflog/main.zeek +++ b/scripts/base/packet-protocols/nflog/main.zeek @@ -5,7 +5,7 @@ const AF_INET : count = 2; const AF_INET6 : count = 10; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_NFLOG, $analyzer=PacketAnalyzer::ANALYZER_NFLOG), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_NFLOG, $analyzer=PacketAnalyzer::ANALYZER_NFLOG), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) }; diff --git a/scripts/base/packet-protocols/null/main.zeek b/scripts/base/packet-protocols/null/main.zeek index 9ad54c9b74..35a4258f04 100644 --- a/scripts/base/packet-protocols/null/main.zeek +++ b/scripts/base/packet-protocols/null/main.zeek @@ -5,7 +5,7 @@ const AF_INET : count = 2; const AF_INET6 : count = 10; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_NULL, $analyzer=PacketAnalyzer::ANALYZER_NULL), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_NULL, $analyzer=PacketAnalyzer::ANALYZER_NULL), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4), ## From the Wireshark Wiki: AF_INET6ANALYZER, unfortunately, has different values in diff --git a/scripts/base/packet-protocols/ppp_serial/main.zeek b/scripts/base/packet-protocols/ppp_serial/main.zeek index 839e19c1d4..75d97706fe 100644 --- a/scripts/base/packet-protocols/ppp_serial/main.zeek +++ b/scripts/base/packet-protocols/ppp_serial/main.zeek @@ -3,7 +3,7 @@ module PacketAnalyzer::PPP_SERIAL; const DLT_PPP_SERIAL : count = 50; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_PPP_SERIAL, $analyzer=PacketAnalyzer::ANALYZER_PPPSERIAL), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_PPP_SERIAL, $analyzer=PacketAnalyzer::ANALYZER_PPPSERIAL), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0281, $analyzer=PacketAnalyzer::ANALYZER_MPLS), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0021, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0057, $analyzer=PacketAnalyzer::ANALYZER_IPV6) diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index 5dcb9a900e..bec54918eb 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -2,6 +2,8 @@ #include "Analyzer.h" +#include "DebugLogger.h" + namespace zeek::packet_analysis { Analyzer::Analyzer(std::string name) @@ -88,4 +90,12 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) co return true; } -} \ No newline at end of file +void Analyzer::DumpDebug() const + { +#ifdef DEBUG + DBG_LOG(DBG_PACKET_ANALYSIS, "Debug info for %s", this->GetAnalyzerName()); + dispatcher.DumpDebug(); +#endif + } + +} diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index 8faaeab169..e2ae7e76f4 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -91,6 +91,11 @@ public: virtual bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) = 0; + /** + * Dumps out debug information to the \c analyzer debug stream. + */ + void DumpDebug() const; + protected: friend class Manager; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 0d71632574..5a7251d8ad 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -36,7 +36,7 @@ void Manager::InitPostScript() //TODO: Make that field a string for usability reasons //TODO: Check error handling when fields are omitted auto& parent_val = rv->GetField("parent"); - std::string parent_name = parent_val ? Lookup(parent_val->AsEnumVal())->Name() : "ROOT"; + std::string parent_name = Lookup(parent_val->AsEnumVal())->Name(); auto& identifier_val = rv->GetField("identifier"); auto analyzer_tag = rv->GetField("analyzer")->AsEnumVal(); auto analyzer_name = Lookup(analyzer_tag)->Name(); @@ -49,15 +49,6 @@ void Manager::InitPostScript() } auto& analyzer = analyzer_it->second; - if ( parent_name == "ROOT" ) - { - if ( identifier_val ) - root_dispatcher.Register(identifier_val->AsCount(), analyzer); - else - default_analyzer = analyzer; - continue; - } - auto parent_analyzer_it = analyzers.find(parent_name); if ( parent_analyzer_it == analyzers.end() ) { @@ -75,6 +66,8 @@ void Manager::InitPostScript() // Initialize all analyzers for ( auto& [name, analyzer] : analyzers ) analyzer->Initialize(); + + root_analyzer = analyzers["Root"]; } void Manager::Done() @@ -91,7 +84,7 @@ void Manager::DumpDebug() } DBG_LOG(DBG_PACKET_ANALYSIS, "Root dispatcher:"); - root_dispatcher.DumpDebug(); + root_analyzer->DumpDebug(); #endif } @@ -120,15 +113,7 @@ void Manager::ProcessPacket(Packet* packet) DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); #endif // Start packet analysis - auto root_analyzer = root_dispatcher.Lookup(packet->link_type); - auto analyzer = root_analyzer ? root_analyzer : default_analyzer; - if ( !analyzer ) - { - reporter->InternalWarning("No analyzer for link type %#x", packet->link_type); - return; - } - - if ( ! analyzer->AnalyzePacket(packet->cap_len, packet->data, packet) ) + if ( ! root_analyzer->ForwardPacket(packet->cap_len, packet->data, packet, packet->link_type) ) packet->InvalidateLayer2(); } diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index f13feaa590..7030c8fc05 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -90,8 +90,7 @@ private: AnalyzerPtr InstantiateAnalyzer(const std::string& name); std::map analyzers; - Dispatcher root_dispatcher; - AnalyzerPtr default_analyzer = nullptr; + AnalyzerPtr root_analyzer = nullptr; }; } diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index c7228c2123..10103d7dca 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -1,3 +1,4 @@ +add_subdirectory(root) add_subdirectory(skip) add_subdirectory(null) diff --git a/src/packet_analysis/protocol/ip/Plugin.cc b/src/packet_analysis/protocol/ip/Plugin.cc index 5645220677..c24a880c60 100644 --- a/src/packet_analysis/protocol/ip/Plugin.cc +++ b/src/packet_analysis/protocol/ip/Plugin.cc @@ -4,7 +4,7 @@ #include "plugin/Plugin.h" #include "packet_analysis/Component.h" -namespace zeek::plugin::Zeek_Default { +namespace zeek::plugin::Zeek_IP { class Plugin : public zeek::plugin::Plugin { public: diff --git a/src/packet_analysis/protocol/root/CMakeLists.txt b/src/packet_analysis/protocol/root/CMakeLists.txt new file mode 100644 index 0000000000..3ea75189f3 --- /dev/null +++ b/src/packet_analysis/protocol/root/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(PacketAnalyzer Root) +zeek_plugin_cc(Root.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/packet_analysis/protocol/root/Plugin.cc b/src/packet_analysis/protocol/root/Plugin.cc new file mode 100644 index 0000000000..1d3432b627 --- /dev/null +++ b/src/packet_analysis/protocol/root/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Root.h" +#include "plugin/Plugin.h" +#include "packet_analysis/Component.h" + +namespace zeek::plugin::Zeek_Root { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::packet_analysis::Component("Root", + zeek::packet_analysis::Root::RootAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::Root"; + config.description = "Root packet analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/packet_analysis/protocol/root/Root.cc b/src/packet_analysis/protocol/root/Root.cc new file mode 100644 index 0000000000..aae58e8054 --- /dev/null +++ b/src/packet_analysis/protocol/root/Root.cc @@ -0,0 +1,16 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Root.h" +#include "NetVar.h" + +using namespace zeek::packet_analysis::Root; + +RootAnalyzer::RootAnalyzer() + : zeek::packet_analysis::Analyzer("Root") + { + } + +bool RootAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) + { + reporter->InternalError("AnalysisPacket() was called for the root analyzer."); + } \ No newline at end of file diff --git a/src/packet_analysis/protocol/root/Root.h b/src/packet_analysis/protocol/root/Root.h new file mode 100644 index 0000000000..fc1543bbb8 --- /dev/null +++ b/src/packet_analysis/protocol/root/Root.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::packet_analysis::Root { + +class RootAnalyzer : public Analyzer { +public: + RootAnalyzer(); + ~RootAnalyzer() override = default; + + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + + static zeek::packet_analysis::AnalyzerPtr Instantiate() + { + return std::make_shared(); + } +}; + +} diff --git a/testing/btest/core/skip_analyzer.zeek b/testing/btest/core/skip_analyzer.zeek index 70018e6aeb..ed0b6d587f 100644 --- a/testing/btest/core/skip_analyzer.zeek +++ b/testing/btest/core/skip_analyzer.zeek @@ -8,7 +8,7 @@ @load base/frameworks/tunnels redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP) + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP) }; redef PacketAnalyzer::SkipAnalyzer::skip_bytes: count = 38;