Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add explicit root analyzer for packet analysis.

Browse source
This commit is contained in:
Jan Grashoefer 2020-09-07 16:17:26 +02:00 committed by Tim Wojtulewicz
parent d51252bb3f
commit 8f951574d7
21 changed files with 106 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/base/init-bare.zeek
View file

@ -5350,7 +5350,7 @@ export {
## If it is not included, the identifier will attach to the "root" analyzer. The ## If it is not included, the identifier will attach to the "root" analyzer. The
## root analyzer uses the link layer identifier provided by the packet source to ## root analyzer uses the link layer identifier provided by the packet source to
## determine the protocol for the initial packet header. ## determine the protocol for the initial packet header.
parent : PacketAnalyzer::Tag &optional; parent : PacketAnalyzer::Tag;
## A numeric identifier, which can be found in the packet data, that denotes the ## A numeric identifier, which can be found in the packet data, that denotes the
## encapsulated protocol. This field is optional. If it is not included, the ## encapsulated protocol. This field is optional. If it is not included, the

2
scripts/base/packet-protocols/ethernet/main.zeek
View file

@ -12,7 +12,7 @@ export {
const DLT_EN10MB : count = 1; const DLT_EN10MB : count = 1;
redef PacketAnalyzer::config_map += { redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($identifier=DLT_EN10MB, $analyzer=PacketAnalyzer::ANALYZER_ETHERNET), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_EN10MB, $analyzer=PacketAnalyzer::ANALYZER_ETHERNET),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6),

2
scripts/base/packet-protocols/fddi/main.zeek
View file

@ -3,6 +3,6 @@ module PacketAnalyzer::FDDI;
const DLT_FDDI : count = 10; const DLT_FDDI : count = 10;
redef PacketAnalyzer::config_map += { redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_FDDI, $analyzer=PacketAnalyzer::ANALYZER_IP) PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_FDDI, $analyzer=PacketAnalyzer::ANALYZER_IP)
}; };

2
scripts/base/packet-protocols/ieee802_11/main.zeek
View file

@ -3,7 +3,7 @@ module PacketAnalyzer::IEEE802_11;
const DLT_IEEE802_11 : count = 105; const DLT_IEEE802_11 : count = 105;
redef PacketAnalyzer::config_map += { redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP),

2
scripts/base/packet-protocols/ieee802_11_radio/main.zeek
View file

@ -4,6 +4,6 @@ const DLT_IEEE802_11_RADIO : count = 127;
const DLT_IEEE802_11 : count = 105; const DLT_IEEE802_11 : count = 105;
redef PacketAnalyzer::config_map += { redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($identifier=DLT_IEEE802_11_RADIO, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_IEEE802_11_RADIO, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, $identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11) PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, $identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11)
}; };

2
scripts/base/packet-protocols/ip/main.zeek
View file

@ -1,7 +1,7 @@
module PacketAnalyzer::IP; module PacketAnalyzer::IP;
redef PacketAnalyzer::config_map += { redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($analyzer=PacketAnalyzer::ANALYZER_IP), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $analyzer=PacketAnalyzer::ANALYZER_IP),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6)
}; };

2
scripts/base/packet-protocols/linux_sll/main.zeek
View file

@ -3,7 +3,7 @@ module PacketAnalyzer::LINUX_SLL;
const DLT_LINUX_SLL : count = 113; const DLT_LINUX_SLL : count = 113;
redef PacketAnalyzer::config_map += { redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($identifier=DLT_LINUX_SLL, $analyzer=PacketAnalyzer::ANALYZER_LINUXSLL), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_LINUX_SLL, $analyzer=PacketAnalyzer::ANALYZER_LINUXSLL),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP),

2
scripts/base/packet-protocols/nflog/main.zeek
View file

@ -5,7 +5,7 @@ const AF_INET : count = 2;
const AF_INET6 : count = 10; const AF_INET6 : count = 10;
redef PacketAnalyzer::config_map += { redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($identifier=DLT_NFLOG, $analyzer=PacketAnalyzer::ANALYZER_NFLOG), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_NFLOG, $analyzer=PacketAnalyzer::ANALYZER_NFLOG),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET6, $analyzer=PacketAnalyzer::ANALYZER_IPV6)
}; };

2
scripts/base/packet-protocols/null/main.zeek
View file

@ -5,7 +5,7 @@ const AF_INET : count = 2;
const AF_INET6 : count = 10; const AF_INET6 : count = 10;
redef PacketAnalyzer::config_map += { redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($identifier=DLT_NULL, $analyzer=PacketAnalyzer::ANALYZER_NULL), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_NULL, $analyzer=PacketAnalyzer::ANALYZER_NULL),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
## From the Wireshark Wiki: AF_INET6ANALYZER, unfortunately, has different values in ## From the Wireshark Wiki: AF_INET6ANALYZER, unfortunately, has different values in

2
scripts/base/packet-protocols/ppp_serial/main.zeek
View file

@ -3,7 +3,7 @@ module PacketAnalyzer::PPP_SERIAL;
const DLT_PPP_SERIAL : count = 50; const DLT_PPP_SERIAL : count = 50;
redef PacketAnalyzer::config_map += { redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($identifier=DLT_PPP_SERIAL, $analyzer=PacketAnalyzer::ANALYZER_PPPSERIAL), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_PPP_SERIAL, $analyzer=PacketAnalyzer::ANALYZER_PPPSERIAL),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0281, $analyzer=PacketAnalyzer::ANALYZER_MPLS), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0281, $analyzer=PacketAnalyzer::ANALYZER_MPLS),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0021, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0021, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0057, $analyzer=PacketAnalyzer::ANALYZER_IPV6) PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0057, $analyzer=PacketAnalyzer::ANALYZER_IPV6)

10
src/packet_analysis/Analyzer.cc
View file

@ -2,6 +2,8 @@
#include "Analyzer.h" #include "Analyzer.h"
#include "DebugLogger.h"
namespace zeek::packet_analysis { namespace zeek::packet_analysis {
Analyzer::Analyzer(std::string name) Analyzer::Analyzer(std::string name)
@ -88,4 +90,12 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) co
return true; return true;
} }
void Analyzer::DumpDebug() const
{
#ifdef DEBUG
DBG_LOG(DBG_PACKET_ANALYSIS, "Debug info for %s", this->GetAnalyzerName());
dispatcher.DumpDebug();
#endif
}
} }

5
src/packet_analysis/Analyzer.h
View file

@ -91,6 +91,11 @@ public:
virtual bool AnalyzePacket(size_t len, const uint8_t* data, virtual bool AnalyzePacket(size_t len, const uint8_t* data,
Packet* packet) = 0; Packet* packet) = 0;
/**
* Dumps out debug information to the \c analyzer debug stream.
*/
void DumpDebug() const;
protected: protected:
friend class Manager; friend class Manager;

25
src/packet_analysis/Manager.cc
View file

@ -36,7 +36,7 @@ void Manager::InitPostScript()
//TODO: Make that field a string for usability reasons //TODO: Make that field a string for usability reasons
//TODO: Check error handling when fields are omitted //TODO: Check error handling when fields are omitted
auto& parent_val = rv->GetField("parent"); auto& parent_val = rv->GetField("parent");
std::string parent_name = parent_val ? Lookup(parent_val->AsEnumVal())->Name() : "ROOT"; std::string parent_name = Lookup(parent_val->AsEnumVal())->Name();
auto& identifier_val = rv->GetField("identifier"); auto& identifier_val = rv->GetField("identifier");
auto analyzer_tag = rv->GetField("analyzer")->AsEnumVal(); auto analyzer_tag = rv->GetField("analyzer")->AsEnumVal();
auto analyzer_name = Lookup(analyzer_tag)->Name(); auto analyzer_name = Lookup(analyzer_tag)->Name();
@ -49,15 +49,6 @@ void Manager::InitPostScript()
} }
auto& analyzer = analyzer_it->second; auto& analyzer = analyzer_it->second;
if ( parent_name == "ROOT" )
{
if ( identifier_val )
root_dispatcher.Register(identifier_val->AsCount(), analyzer);
else
default_analyzer = analyzer;
continue;
}
auto parent_analyzer_it = analyzers.find(parent_name); auto parent_analyzer_it = analyzers.find(parent_name);
if ( parent_analyzer_it == analyzers.end() ) if ( parent_analyzer_it == analyzers.end() )
{ {
@ -75,6 +66,8 @@ void Manager::InitPostScript()
// Initialize all analyzers // Initialize all analyzers
for ( auto& [name, analyzer] : analyzers ) for ( auto& [name, analyzer] : analyzers )
analyzer->Initialize(); analyzer->Initialize();
root_analyzer = analyzers["Root"];
} }
void Manager::Done() void Manager::Done()
@ -91,7 +84,7 @@ void Manager::DumpDebug()
} }
DBG_LOG(DBG_PACKET_ANALYSIS, "Root dispatcher:"); DBG_LOG(DBG_PACKET_ANALYSIS, "Root dispatcher:");
root_dispatcher.DumpDebug(); root_analyzer->DumpDebug();
#endif #endif
} }
@ -120,15 +113,7 @@ void Manager::ProcessPacket(Packet* packet)
DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time);
#endif #endif
// Start packet analysis // Start packet analysis
auto root_analyzer = root_dispatcher.Lookup(packet->link_type); if ( ! root_analyzer->ForwardPacket(packet->cap_len, packet->data, packet, packet->link_type) )
auto analyzer = root_analyzer ? root_analyzer : default_analyzer;
if ( !analyzer )
{
reporter->InternalWarning("No analyzer for link type %#x", packet->link_type);
return;
}
if ( ! analyzer->AnalyzePacket(packet->cap_len, packet->data, packet) )
packet->InvalidateLayer2(); packet->InvalidateLayer2();
} }

3
src/packet_analysis/Manager.h
View file

@ -90,8 +90,7 @@ private:
AnalyzerPtr InstantiateAnalyzer(const std::string& name); AnalyzerPtr InstantiateAnalyzer(const std::string& name);
std::map<std::string, AnalyzerPtr> analyzers; std::map<std::string, AnalyzerPtr> analyzers;
Dispatcher root_dispatcher; AnalyzerPtr root_analyzer = nullptr;
AnalyzerPtr default_analyzer = nullptr;
}; };
} }

1
src/packet_analysis/protocol/CMakeLists.txt
View file

@ -1,3 +1,4 @@
add_subdirectory(root)
add_subdirectory(skip) add_subdirectory(skip)
add_subdirectory(null) add_subdirectory(null)

2
src/packet_analysis/protocol/ip/Plugin.cc
View file

@ -4,7 +4,7 @@
#include "plugin/Plugin.h" #include "plugin/Plugin.h"
#include "packet_analysis/Component.h" #include "packet_analysis/Component.h"
namespace zeek::plugin::Zeek_Default { namespace zeek::plugin::Zeek_IP {
class Plugin : public zeek::plugin::Plugin { class Plugin : public zeek::plugin::Plugin {
public: public:

8
src/packet_analysis/protocol/root/CMakeLists.txt Normal file
View file

@ -0,0 +1,8 @@
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
zeek_plugin_begin(PacketAnalyzer Root)
zeek_plugin_cc(Root.cc Plugin.cc)
zeek_plugin_end()

24
src/packet_analysis/protocol/root/Plugin.cc Normal file
View file

@ -0,0 +1,24 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "Root.h"
#include "plugin/Plugin.h"
#include "packet_analysis/Component.h"
namespace zeek::plugin::Zeek_Root {
class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("Root",
zeek::packet_analysis::Root::RootAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Root";
config.description = "Root packet analyzer";
return config;
}
} plugin;
}

16
src/packet_analysis/protocol/root/Root.cc Normal file
View file

@ -0,0 +1,16 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "Root.h"
#include "NetVar.h"
using namespace zeek::packet_analysis::Root;
RootAnalyzer::RootAnalyzer()
: zeek::packet_analysis::Analyzer("Root")
{
}
bool RootAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
reporter->InternalError("AnalysisPacket() was called for the root analyzer.");
}

23
src/packet_analysis/protocol/root/Root.h Normal file
View file

@ -0,0 +1,23 @@
// See the file "COPYING" in the main distribution directory for copyright.
#pragma once
#include <packet_analysis/Analyzer.h>
#include <packet_analysis/Component.h>
namespace zeek::packet_analysis::Root {
class RootAnalyzer : public Analyzer {
public:
RootAnalyzer();
~RootAnalyzer() override = default;
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{
return std::make_shared<RootAnalyzer>();
}
};
}

2
testing/btest/core/skip_analyzer.zeek
View file

@ -8,7 +8,7 @@
@load base/frameworks/tunnels @load base/frameworks/tunnels
redef PacketAnalyzer::config_map += { redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP) PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP)
}; };
redef PacketAnalyzer::SkipAnalyzer::skip_bytes: count = 38; redef PacketAnalyzer::SkipAnalyzer::skip_bytes: count = 38;