Add explicit root analyzer for packet analysis.

src/packet_analysis/Analyzer.cc

@@ -2,6 +2,8 @@
 
 #include "Analyzer.h"
 
+#include "DebugLogger.h"
+
 namespace zeek::packet_analysis {
 
 Analyzer::Analyzer(std::string name)
@@ -88,4 +90,12 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) co
 	return true;
 	}
 
-}
+void Analyzer::DumpDebug() const
+	{
+#ifdef DEBUG
+	DBG_LOG(DBG_PACKET_ANALYSIS, "Debug info for %s", this->GetAnalyzerName());
+	dispatcher.DumpDebug();
+#endif
+	}
+
+}

src/packet_analysis/Analyzer.h

@@ -91,6 +91,11 @@ public:
 	virtual bool AnalyzePacket(size_t len, const uint8_t* data,
 			Packet* packet) = 0;
 
+	/**
+	 * Dumps out debug information to the \c analyzer debug stream.
+	 */
+	void DumpDebug() const;
+
 protected:
 	friend class Manager;
 

src/packet_analysis/Manager.cc

@@ -36,7 +36,7 @@ void Manager::InitPostScript()
 		//TODO: Make that field a string for usability reasons
 		//TODO: Check error handling when fields are omitted
 		auto& parent_val = rv->GetField("parent");
-		std::string parent_name = parent_val ? Lookup(parent_val->AsEnumVal())->Name() : "ROOT";
+		std::string parent_name = Lookup(parent_val->AsEnumVal())->Name();
 		auto& identifier_val = rv->GetField("identifier");
 		auto analyzer_tag = rv->GetField("analyzer")->AsEnumVal();
 		auto analyzer_name = Lookup(analyzer_tag)->Name();
@@ -49,15 +49,6 @@ void Manager::InitPostScript()
 			}
 		auto& analyzer = analyzer_it->second;
 
-		if ( parent_name == "ROOT" )
-			{
-			if ( identifier_val )
-				root_dispatcher.Register(identifier_val->AsCount(), analyzer);
-			else
-				default_analyzer = analyzer;
-			continue;
-			}
-
 		auto parent_analyzer_it = analyzers.find(parent_name);
 		if ( parent_analyzer_it == analyzers.end() )
 			{
@@ -75,6 +66,8 @@ void Manager::InitPostScript()
 	// Initialize all analyzers
 	for ( auto& [name, analyzer] : analyzers )
 		analyzer->Initialize();
+
+	root_analyzer = analyzers["Root"];
 	}
 
 void Manager::Done()
@@ -91,7 +84,7 @@ void Manager::DumpDebug()
 		}
 
 	DBG_LOG(DBG_PACKET_ANALYSIS, "Root dispatcher:");
-	root_dispatcher.DumpDebug();
+	root_analyzer->DumpDebug();
 #endif
 	}
 
@@ -120,15 +113,7 @@ void Manager::ProcessPacket(Packet* packet)
 	DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time);
 #endif
 	// Start packet analysis
-	auto root_analyzer = root_dispatcher.Lookup(packet->link_type);
-	auto analyzer = root_analyzer ? root_analyzer : default_analyzer;
-	if ( !analyzer )
-		{
-		reporter->InternalWarning("No analyzer for link type %#x", packet->link_type);
-		return;
-		}
-
-	if ( ! analyzer->AnalyzePacket(packet->cap_len, packet->data, packet) )
+	if ( ! root_analyzer->ForwardPacket(packet->cap_len, packet->data, packet, packet->link_type) )
 		packet->InvalidateLayer2();
 	}
 

src/packet_analysis/Manager.h

@@ -90,8 +90,7 @@ private:
 	AnalyzerPtr InstantiateAnalyzer(const std::string& name);
 
 	std::map<std::string, AnalyzerPtr> analyzers;
-	Dispatcher root_dispatcher;
-	AnalyzerPtr default_analyzer = nullptr;
+	AnalyzerPtr root_analyzer = nullptr;
 };
 
 }

src/packet_analysis/protocol/CMakeLists.txt

@@ -1,3 +1,4 @@
+add_subdirectory(root)
 add_subdirectory(skip)
 
 add_subdirectory(null)

src/packet_analysis/protocol/ip/Plugin.cc

@@ -4,7 +4,7 @@
 #include "plugin/Plugin.h"
 #include "packet_analysis/Component.h"
 
-namespace zeek::plugin::Zeek_Default {
+namespace zeek::plugin::Zeek_IP {
 
 class Plugin : public zeek::plugin::Plugin {
 public:

src/packet_analysis/protocol/root/CMakeLists.txt

@@ -0,0 +1,8 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(PacketAnalyzer Root)
+zeek_plugin_cc(Root.cc Plugin.cc)
+zeek_plugin_end()

src/packet_analysis/protocol/root/Plugin.cc

@@ -0,0 +1,24 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "Root.h"
+#include "plugin/Plugin.h"
+#include "packet_analysis/Component.h"
+
+namespace zeek::plugin::Zeek_Root {
+
+class Plugin : public zeek::plugin::Plugin {
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component("Root",
+		                 zeek::packet_analysis::Root::RootAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::Root";
+		config.description = "Root packet analyzer";
+		return config;
+		}
+
+} plugin;
+
+}

src/packet_analysis/protocol/root/Root.cc

@@ -0,0 +1,16 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "Root.h"
+#include "NetVar.h"
+
+using namespace zeek::packet_analysis::Root;
+
+RootAnalyzer::RootAnalyzer()
+	: zeek::packet_analysis::Analyzer("Root")
+	{
+	}
+
+bool RootAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	reporter->InternalError("AnalysisPacket() was called for the root analyzer.");
+	}

src/packet_analysis/protocol/root/Root.h

@@ -0,0 +1,23 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include <packet_analysis/Analyzer.h>
+#include <packet_analysis/Component.h>
+
+namespace zeek::packet_analysis::Root {
+
+class RootAnalyzer : public Analyzer {
+public:
+	RootAnalyzer();
+	~RootAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<RootAnalyzer>();
+		}
+};
+
+}