From 96d0e11bb8867e5c20da64d0aaa1a421ef1d9949 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Fri, 17 Jul 2020 18:25:22 +0200 Subject: [PATCH] Move cur_pos from packet into packet manager loop. --- src/iosource/Packet.cc | 5 --- src/iosource/Packet.h | 5 +-- src/packet_analysis/Analyzer.h | 11 ++--- src/packet_analysis/Manager.cc | 18 ++++---- src/packet_analysis/Manager.h | 4 +- src/packet_analysis/protocol/arp/ARP.cc | 2 +- src/packet_analysis/protocol/arp/ARP.h | 2 +- .../protocol/default/Default.cc | 8 ++-- .../protocol/default/Default.h | 2 +- .../protocol/ethernet/Ethernet.cc | 25 +++++------ .../protocol/ethernet/Ethernet.h | 2 +- src/packet_analysis/protocol/fddi/FDDI.cc | 7 ++- src/packet_analysis/protocol/fddi/FDDI.h | 2 +- .../protocol/ieee802_11/IEEE802_11.cc | 45 +++++++++---------- .../protocol/ieee802_11/IEEE802_11.h | 2 +- .../ieee802_11_radio/IEEE802_11_Radio.cc | 11 +++-- .../ieee802_11_radio/IEEE802_11_Radio.h | 2 +- src/packet_analysis/protocol/ipv4/IPv4.cc | 2 +- src/packet_analysis/protocol/ipv4/IPv4.h | 2 +- src/packet_analysis/protocol/ipv6/IPv6.cc | 2 +- src/packet_analysis/protocol/ipv6/IPv6.h | 2 +- .../protocol/linux_sll/LinuxSLL.cc | 10 ++--- .../protocol/linux_sll/LinuxSLL.h | 2 +- src/packet_analysis/protocol/mpls/MPLS.cc | 15 +++---- src/packet_analysis/protocol/mpls/MPLS.h | 2 +- src/packet_analysis/protocol/nflog/NFLog.cc | 19 ++++---- src/packet_analysis/protocol/nflog/NFLog.h | 2 +- src/packet_analysis/protocol/null/Null.cc | 10 ++--- src/packet_analysis/protocol/null/Null.h | 2 +- .../protocol/ppp_serial/PPPSerial.cc | 8 ++-- .../protocol/ppp_serial/PPPSerial.h | 2 +- src/packet_analysis/protocol/pppoe/PPPoE.cc | 10 ++--- src/packet_analysis/protocol/pppoe/PPPoE.h | 2 +- src/packet_analysis/protocol/vlan/VLAN.cc | 12 +++-- src/packet_analysis/protocol/vlan/VLAN.h | 2 +- .../protocol/wrapper/Wrapper.cc | 43 +++++++++--------- .../protocol/wrapper/Wrapper.h | 2 +- .../plugins/packet-protocol-plugin/src/Bar.cc | 11 +++-- .../plugins/packet-protocol-plugin/src/Bar.h | 2 +- 39 files changed, 148 insertions(+), 169 deletions(-) diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index e2c9ca01b6..15617ee7f2 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -59,17 +59,12 @@ void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32_t arg_caplen, l3_proto = L3_UNKNOWN; l3_checksummed = false; - // For packet analyzer: cur_pos points to the next payload. - cur_pos = data; - if ( data ) { // From here we assume that layer 2 is valid. If a packet analyzer encounters // an issue, it will call Packet::Weird(), which sets l2_valid to false. l2_valid = true; packet_mgr->ProcessPacket(this); - // Calculate header size after processing lower layers. - hdr_size = cur_pos - data; } } diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index 648db8270a..d99979010d 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -159,8 +159,8 @@ public: /** * Empty layer 2 address to be used as default value. For example, the - * LinuxSLL llanalyzer doesn't have a destination address in the header - * and thus sets it to this default address. + * LinuxSLL packet analyzer doesn't have a destination address in the + * header and thus sets it to this default address. */ static constexpr const u_char L2_EMPTY_ADDR[L2_ADDR_LEN] = { 0 }; @@ -172,7 +172,6 @@ public: uint32_t len; /// Actual length on wire uint32_t cap_len; /// Captured packet length uint32_t link_type; /// pcap link_type (DLT_EN10MB, DLT_RAW, etc) - const uint8_t* cur_pos; /// Pointer to the current start of unanalyzed payload data in the raw packet, used by llanalyzers // These are computed from Layer 2 data. These fields are only valid if // Layer2Valid() returns true. diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index fd1321bfbb..e6b974aefc 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -63,18 +63,19 @@ public: bool IsAnalyzer(const char* name); /** - * Analyzes the given packet. The analysis is supposed to start at cur_pos - * of the packet, which points to the so far unanalyzed part of the packet. - * If the analyzed protocol encapsulates another protocol, the packet's - * cur_pos should be updated to point to that payload. + * Analyzes the given packet. The data reference points to the part of the + * raw packet to be analyzed. If the analyzed protocol encapsulates another + * protocol, the data reference should be updated to point to that payload. * * @param packet The packet to analyze. * + * @param data Reference to the payload pointer into the raw packet. + * * @return A tuple of analysis result and identifier. The result indicates * how to proceed. If analysis can continue, the identifier determines the * encapsulated protocol. */ - virtual AnalysisResultTuple Analyze(Packet* packet) = 0; + virtual AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) = 0; protected: friend class Manager; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 1e3a405ee8..a535b93b8d 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -150,6 +150,7 @@ void Manager::ProcessPacket(Packet* packet) // Dispatch and analyze layers AnalyzerResult result = AnalyzerResult::Continue; uint32_t next_layer_id = packet->link_type; + const uint8_t* data = packet->data; do { auto current_analyzer = Dispatch(next_layer_id); @@ -163,7 +164,7 @@ void Manager::ProcessPacket(Packet* packet) } // Analyze this layer and get identifier of next layer protocol - std::tie(result, next_layer_id) = current_analyzer->Analyze(packet); + std::tie(result, next_layer_id) = current_analyzer->Analyze(packet, data); #ifdef DEBUG switch ( result ) @@ -183,28 +184,29 @@ void Manager::ProcessPacket(Packet* packet) } while ( result == AnalyzerResult::Continue ); if ( result == AnalyzerResult::Terminate ) - CustomEncapsulationSkip(packet); + CustomEncapsulationSkip(packet, data); // Processing finished, reset analyzer set state for next packet current_state = root_dispatcher; + + // Calculate header size after processing packet layers. + packet->hdr_size = data - packet->data; } -void Manager::CustomEncapsulationSkip(Packet* packet) +void Manager::CustomEncapsulationSkip(Packet* packet, const uint8_t* data) { if ( zeek::detail::encap_hdr_size > 0 ) { - auto pdata = packet->cur_pos; - // Blanket encapsulation. We assume that what remains is IP. - if ( pdata + zeek::detail::encap_hdr_size + sizeof(struct ip) >= packet->GetEndOfData() ) + if ( data + zeek::detail::encap_hdr_size + sizeof(struct ip) >= packet->GetEndOfData() ) { packet->Weird("no_ip_left_after_encap"); return; } - pdata += zeek::detail::encap_hdr_size; + data += zeek::detail::encap_hdr_size; - auto ip = (const struct ip*)pdata; + auto ip = (const struct ip*)data; switch ( ip->ip_v ) { diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index cffc9cc0ce..f576952228 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -94,8 +94,10 @@ private: * It is assumed that an IP header follows. * * @param packet The packet to adapt. + * + * @param data Pointer to remaining payload. */ - void CustomEncapsulationSkip(Packet* packet); + void CustomEncapsulationSkip(Packet* packet, const uint8_t* data); AnalyzerPtr Dispatch(uint32_t identifier); diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc index bcc860deb5..eec4f72860 100644 --- a/src/packet_analysis/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -9,7 +9,7 @@ ARPAnalyzer::ARPAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple ARPAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple ARPAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { // TODO: Make ARP analyzer a native packet analyzer packet->l3_proto = L3_ARP; diff --git a/src/packet_analysis/protocol/arp/ARP.h b/src/packet_analysis/protocol/arp/ARP.h index 89c8f55db0..9bd1c8a009 100644 --- a/src/packet_analysis/protocol/arp/ARP.h +++ b/src/packet_analysis/protocol/arp/ARP.h @@ -12,7 +12,7 @@ public: ARPAnalyzer(); ~ARPAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/default/Default.cc b/src/packet_analysis/protocol/default/Default.cc index 56f49df949..6d53fd3669 100644 --- a/src/packet_analysis/protocol/default/Default.cc +++ b/src/packet_analysis/protocol/default/Default.cc @@ -10,18 +10,16 @@ DefaultAnalyzer::DefaultAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple DefaultAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple DefaultAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; - // Assume we're pointing at IP. Just figure out which version. - if ( pdata + sizeof(struct ip) >= packet->GetEndOfData() ) + if ( data + sizeof(struct ip) >= packet->GetEndOfData() ) { packet->Weird("packet_analyzer_truncated_header"); return { AnalyzerResult::Failed, 0 }; } - auto ip = (const struct ip *)pdata; + auto ip = (const struct ip *)data; uint32_t protocol = ip->ip_v; return { AnalyzerResult::Continue, protocol }; diff --git a/src/packet_analysis/protocol/default/Default.h b/src/packet_analysis/protocol/default/Default.h index 86eb7e1445..43a8d48f89 100644 --- a/src/packet_analysis/protocol/default/Default.h +++ b/src/packet_analysis/protocol/default/Default.h @@ -12,7 +12,7 @@ public: DefaultAnalyzer(); ~DefaultAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc index 9633596d84..198d2912ee 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -10,51 +10,50 @@ EthernetAnalyzer::EthernetAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); // Make sure that we actually got an entire ethernet header before trying // to pull bytes out of it. - if ( pdata + 16 >= end_of_data ) + if ( data + 16 >= end_of_data ) { packet->Weird("truncated_ethernet_frame"); return { AnalyzerResult::Failed, 0 }; } // Skip past Cisco FabricPath to encapsulated ethernet frame. - if ( pdata[12] == 0x89 && pdata[13] == 0x03 ) + if ( data[12] == 0x89 && data[13] == 0x03 ) { auto constexpr cfplen = 16; - if ( pdata + cfplen + 14 >= end_of_data ) + if ( data + cfplen + 14 >= end_of_data ) { packet->Weird("truncated_link_header_cfp"); return { AnalyzerResult::Failed, 0 }; } - pdata += cfplen; + data += cfplen; } // Get protocol being carried from the ethernet frame. - uint32_t protocol = (pdata[12] << 8) + pdata[13]; + uint32_t protocol = (data[12] << 8) + data[13]; packet->eth_type = protocol; - packet->l2_dst = pdata; - packet->l2_src = pdata + 6; + packet->l2_dst = data; + packet->l2_src = data + 6; // Ethernet II frames if ( protocol >= 1536 ) { - pdata += 14; + data += 14; return { AnalyzerResult::Continue, protocol }; } // Other ethernet frame types if ( protocol <= 1500 ) { - if ( pdata + 16 >= end_of_data ) + if ( data + 16 >= end_of_data ) { packet->Weird("truncated_ethernet_frame"); return { AnalyzerResult::Failed, 0 }; @@ -65,11 +64,11 @@ zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* pac // Note that pdata remains at the start of the ethernet frame. // IEEE 802.2 SNAP - if ( pdata[14] == 0xAA && pdata[15] == 0xAA) + if ( data[14] == 0xAA && data[15] == 0xAA) return { AnalyzerResult::Continue, 1502 }; // Novell raw IEEE 802.3 - if ( pdata[14] == 0xFF && pdata[15] == 0xFF) + if ( data[14] == 0xFF && data[15] == 0xFF) return { AnalyzerResult::Continue, 1503 }; diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.h b/src/packet_analysis/protocol/ethernet/Ethernet.h index aa4707df1b..d6779ede58 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.h +++ b/src/packet_analysis/protocol/ethernet/Ethernet.h @@ -12,7 +12,7 @@ public: EthernetAnalyzer(); ~EthernetAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/fddi/FDDI.cc b/src/packet_analysis/protocol/fddi/FDDI.cc index 763e25c1e0..8cf503f85a 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.cc +++ b/src/packet_analysis/protocol/fddi/FDDI.cc @@ -10,18 +10,17 @@ FDDIAnalyzer::FDDIAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple FDDIAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple FDDIAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; auto hdr_size = 13 + 8; // FDDI header + LLC - if ( pdata + hdr_size >= packet->GetEndOfData() ) + if ( data + hdr_size >= packet->GetEndOfData() ) { packet->Weird("FDDI_analyzer_failed"); return { AnalyzerResult::Failed, 0 }; } // We just skip the header and hope for default analysis - pdata += hdr_size; + data += hdr_size; return { AnalyzerResult::Continue, -1 }; } diff --git a/src/packet_analysis/protocol/fddi/FDDI.h b/src/packet_analysis/protocol/fddi/FDDI.h index 4e092eccb4..adb87d8dd7 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.h +++ b/src/packet_analysis/protocol/fddi/FDDI.h @@ -12,7 +12,7 @@ public: FDDIAnalyzer(); ~FDDIAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc index ee4b090efc..a0e6eb999f 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc @@ -10,20 +10,19 @@ IEEE802_11Analyzer::IEEE802_11Analyzer() { } -zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); u_char len_80211 = 24; // minimal length of data frames - if ( pdata + len_80211 >= end_of_data ) + if ( data + len_80211 >= end_of_data ) { packet->Weird("truncated_802_11_header"); return { AnalyzerResult::Failed, 0 }; } - u_char fc_80211 = pdata[0]; // Frame Control field + u_char fc_80211 = data[0]; // Frame Control field // Skip non-data frame types (management & control). if ( ! ((fc_80211 >> 2) & 0x02) ) @@ -35,7 +34,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p // 'To DS' and 'From DS' flags set indicate use of the 4th // address field. - if ( (pdata[1] & 0x03) == 0x03 ) + if ( (data[1] & 0x03) == 0x03 ) len_80211 += packet->L2_ADDR_LEN; // Look for the QoS indicator bit. @@ -43,13 +42,13 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p { // Skip in case of A-MSDU subframes indicated by QoS // control field. - if ( pdata[len_80211] & 0x80 ) + if ( data[len_80211] & 0x80 ) return { AnalyzerResult::Failed, 0 }; len_80211 += 2; } - if ( pdata + len_80211 >= end_of_data ) + if ( data + len_80211 >= end_of_data ) { packet->Weird("truncated_802_11_header"); return { AnalyzerResult::Failed, 0 }; @@ -57,33 +56,33 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p // Determine link-layer addresses based // on 'To DS' and 'From DS' flags - switch ( pdata[1] & 0x03 ) + switch ( data[1] & 0x03 ) { case 0x00: - packet->l2_src = pdata + 10; - packet->l2_dst = pdata + 4; + packet->l2_src = data + 10; + packet->l2_dst = data + 4; break; case 0x01: - packet->l2_src = pdata + 10; - packet->l2_dst = pdata + 16; + packet->l2_src = data + 10; + packet->l2_dst = data + 16; break; case 0x02: - packet->l2_src = pdata + 16; - packet->l2_dst = pdata + 4; + packet->l2_src = data + 16; + packet->l2_dst = data + 4; break; case 0x03: - packet->l2_src = pdata + 24; - packet->l2_dst = pdata + 16; + packet->l2_src = data + 24; + packet->l2_dst = data + 16; break; } // skip 802.11 data header - pdata += len_80211; + data += len_80211; - if ( pdata + 8 >= end_of_data ) + if ( data + 8 >= end_of_data ) { packet->Weird("truncated_802_11_header"); return { AnalyzerResult::Failed, 0 }; @@ -93,10 +92,10 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p // field indicates that this is an unnumbered frame. // The organization code (24bits) needs to also be zero to // indicate that this is encapsulated ethernet. - if ( pdata[0] == 0xAA && pdata[1] == 0xAA && pdata[2] == 0x03 && - pdata[3] == 0 && pdata[4] == 0 && pdata[5] == 0 ) + if ( data[0] == 0xAA && data[1] == 0xAA && data[2] == 0x03 && + data[3] == 0 && data[4] == 0 && data[5] == 0 ) { - pdata += 6; + data += 6; } else { @@ -106,8 +105,8 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p return { AnalyzerResult::Failed, 0 }; } - uint32_t protocol = (pdata[0] << 8) + pdata[1]; - pdata += 2; + uint32_t protocol = (data[0] << 8) + data[1]; + data += 2; return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h index 03b706d9ae..beccbd59d9 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h @@ -12,7 +12,7 @@ public: IEEE802_11Analyzer(); ~IEEE802_11Analyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc index ec34f39d04..26bdf9f041 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc @@ -12,27 +12,26 @@ IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); - if ( pdata + 3 >= end_of_data ) + if ( data + 3 >= end_of_data ) { packet->Weird("truncated_radiotap_header"); return { AnalyzerResult::Failed, 0 }; } // Skip over the RadioTap header - int rtheader_len = (pdata[3] << 8) + pdata[2]; + int rtheader_len = (data[3] << 8) + data[2]; - if ( pdata + rtheader_len >= end_of_data ) + if ( data + rtheader_len >= end_of_data ) { packet->Weird("truncated_radiotap_header"); return { AnalyzerResult::Failed, 0 }; } - packet->cur_pos += rtheader_len; + data += rtheader_len; return { AnalyzerResult::Continue, DLT_IEEE802_11 }; } diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h index ef1cf1fb39..1c50c07dbd 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h @@ -12,7 +12,7 @@ public: IEEE802_11_RadioAnalyzer(); ~IEEE802_11_RadioAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv4/IPv4.cc b/src/packet_analysis/protocol/ipv4/IPv4.cc index 8cfd51b7f9..ad199f97f8 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.cc +++ b/src/packet_analysis/protocol/ipv4/IPv4.cc @@ -9,7 +9,7 @@ IPv4Analyzer::IPv4Analyzer() { } -zeek::packet_analysis::AnalysisResultTuple IPv4Analyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple IPv4Analyzer::Analyze(Packet* packet, const uint8_t*& data) { packet->l3_proto = L3_IPV4; diff --git a/src/packet_analysis/protocol/ipv4/IPv4.h b/src/packet_analysis/protocol/ipv4/IPv4.h index 1ee5b5098b..37026cabd9 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.h +++ b/src/packet_analysis/protocol/ipv4/IPv4.h @@ -12,7 +12,7 @@ public: IPv4Analyzer(); ~IPv4Analyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv6/IPv6.cc b/src/packet_analysis/protocol/ipv6/IPv6.cc index 2d724d9188..9380a1fe85 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.cc +++ b/src/packet_analysis/protocol/ipv6/IPv6.cc @@ -9,7 +9,7 @@ IPv6Analyzer::IPv6Analyzer() { } -zeek::packet_analysis::AnalysisResultTuple IPv6Analyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple IPv6Analyzer::Analyze(Packet* packet, const uint8_t*& data) { packet->l3_proto = L3_IPV6; diff --git a/src/packet_analysis/protocol/ipv6/IPv6.h b/src/packet_analysis/protocol/ipv6/IPv6.h index db9416697a..f7ad9fdc74 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.h +++ b/src/packet_analysis/protocol/ipv6/IPv6.h @@ -12,7 +12,7 @@ public: IPv6Analyzer(); ~IPv6Analyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc index 5a1f0fb29b..56149c42f1 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc @@ -9,18 +9,16 @@ LinuxSLLAnalyzer::LinuxSLLAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; - - if ( pdata + sizeof(SLLHeader) >= packet->GetEndOfData() ) + if ( data + sizeof(SLLHeader) >= packet->GetEndOfData() ) { packet->Weird("truncated_Linux_SLL_header"); return { AnalyzerResult::Failed, 0 }; } //TODO: Handle different ARPHRD_types - auto hdr = (const SLLHeader*)pdata; + auto hdr = (const SLLHeader*)data; uint32_t protocol = ntohs(hdr->protocol_type); packet->l2_src = (u_char*) &(hdr->addr); @@ -29,6 +27,6 @@ zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* pac // here will cause crashes elsewhere. packet->l2_dst = Packet::L2_EMPTY_ADDR; - pdata += sizeof(SLLHeader); + data += sizeof(SLLHeader); return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h index 04cd170318..f9519b214f 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h @@ -12,7 +12,7 @@ public: LinuxSLLAnalyzer(); ~LinuxSLLAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/mpls/MPLS.cc b/src/packet_analysis/protocol/mpls/MPLS.cc index 1b22403919..2d507a4fc8 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.cc +++ b/src/packet_analysis/protocol/mpls/MPLS.cc @@ -9,9 +9,8 @@ MPLSAnalyzer::MPLSAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); // Skip the MPLS label stack. @@ -19,25 +18,25 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet) while ( ! end_of_stack ) { - if ( pdata + 4 >= end_of_data ) + if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); return { AnalyzerResult::Failed, 0 }; } - end_of_stack = *(pdata + 2u) & 0x01; - pdata += 4; + end_of_stack = *(data + 2u) & 0x01; + data += 4; } // According to RFC3032 the encapsulated protocol is not encoded. // We assume that what remains is IP. - if ( pdata + sizeof(struct ip) >= end_of_data ) + if ( data + sizeof(struct ip) >= end_of_data ) { packet->Weird("no_ip_in_mpls_payload"); return { AnalyzerResult::Failed, 0 }; } - auto ip = (const struct ip*)pdata; + auto ip = (const struct ip*)data; if ( ip->ip_v == 4 ) packet->l3_proto = L3_IPV4; @@ -50,6 +49,6 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet) return { AnalyzerResult::Failed, 0 }; } - packet->hdr_size = (pdata - packet->data); + packet->hdr_size = (data - packet->data); return { AnalyzerResult::Terminate, 0 }; } diff --git a/src/packet_analysis/protocol/mpls/MPLS.h b/src/packet_analysis/protocol/mpls/MPLS.h index 3c13e5d878..61439ee4c4 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.h +++ b/src/packet_analysis/protocol/mpls/MPLS.h @@ -12,7 +12,7 @@ public: MPLSAnalyzer(); ~MPLSAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/nflog/NFLog.cc b/src/packet_analysis/protocol/nflog/NFLog.cc index 0167a792fa..3b5fc3a86a 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.cc +++ b/src/packet_analysis/protocol/nflog/NFLog.cc @@ -10,13 +10,12 @@ NFLogAnalyzer::NFLogAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet) { - auto& pdata = packet->cur_pos; +zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); // See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html - uint32_t protocol = pdata[0]; - uint8_t version = pdata[1]; + uint32_t protocol = data[0]; + uint8_t version = data[1]; if ( version != 0 ) { @@ -25,14 +24,14 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet } // Skip to TLVs. - pdata += 4; + data += 4; uint16_t tlv_len; uint16_t tlv_type; while ( true ) { - if ( pdata + 4 >= end_of_data ) + if ( data + 4 >= end_of_data ) { packet->Weird("nflog_no_pcap_payload"); return { AnalyzerResult::Failed, 0 }; @@ -41,15 +40,15 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet // TLV Type and Length values are specified in host byte order // (libpcap should have done any needed byteswapping already). - tlv_len = *(reinterpret_cast(pdata)); - tlv_type = *(reinterpret_cast(pdata + 2)); + tlv_len = *(reinterpret_cast(data)); + tlv_type = *(reinterpret_cast(data + 2)); auto constexpr nflog_type_payload = 9; if ( tlv_type == nflog_type_payload ) { // The raw packet payload follows this TLV. - pdata += 4; + data += 4; break; } else @@ -72,7 +71,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet tlv_len += 4 - rem; } - pdata += tlv_len; + data += tlv_len; } } diff --git a/src/packet_analysis/protocol/nflog/NFLog.h b/src/packet_analysis/protocol/nflog/NFLog.h index e5212c6788..bc5b34eb2a 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.h +++ b/src/packet_analysis/protocol/nflog/NFLog.h @@ -12,7 +12,7 @@ public: NFLogAnalyzer(); ~NFLogAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/null/Null.cc b/src/packet_analysis/protocol/null/Null.cc index 923f5c4ba9..5c61a53897 100644 --- a/src/packet_analysis/protocol/null/Null.cc +++ b/src/packet_analysis/protocol/null/Null.cc @@ -10,18 +10,16 @@ NullAnalyzer::NullAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple NullAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple NullAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; - - if ( pdata + 4 >= packet->GetEndOfData() ) + if ( data + 4 >= packet->GetEndOfData() ) { packet->Weird("null_analyzer_failed"); return { AnalyzerResult::Failed, 0 }; } - uint32_t protocol = (pdata[3] << 24) + (pdata[2] << 16) + (pdata[1] << 8) + pdata[0]; - pdata += 4; // skip link header + uint32_t protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0]; + data += 4; // skip link header return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/null/Null.h b/src/packet_analysis/protocol/null/Null.h index 8282cee7b5..1df209225a 100644 --- a/src/packet_analysis/protocol/null/Null.h +++ b/src/packet_analysis/protocol/null/Null.h @@ -12,7 +12,7 @@ public: NullAnalyzer(); ~NullAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc index fc79156bd6..da28fc6dc4 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc @@ -10,13 +10,11 @@ PPPSerialAnalyzer::PPPSerialAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple PPPSerialAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple PPPSerialAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; - // Extract protocol identifier - uint32_t protocol = (pdata[2] << 8) + pdata[3]; - pdata += 4; // skip link header + uint32_t protocol = (data[2] << 8) + data[3]; + data += 4; // skip link header return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h index 02201c97fd..75003f4242 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h @@ -12,7 +12,7 @@ public: PPPSerialAnalyzer(); ~PPPSerialAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.cc b/src/packet_analysis/protocol/pppoe/PPPoE.cc index 5e2d2db6f1..53b004b733 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.cc +++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc @@ -10,19 +10,17 @@ PPPoEAnalyzer::PPPoEAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple PPPoEAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple PPPoEAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; - - if ( pdata + 8 >= packet->GetEndOfData() ) + if ( data + 8 >= packet->GetEndOfData() ) { packet->Weird("truncated_pppoe_header"); return { AnalyzerResult::Failed, 0 }; } // Extract protocol identifier - uint32_t protocol = (pdata[6] << 8u) + pdata[7]; - pdata += 8; // Skip the PPPoE session and PPP header + uint32_t protocol = (data[6] << 8u) + data[7]; + data += 8; // Skip the PPPoE session and PPP header return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.h b/src/packet_analysis/protocol/pppoe/PPPoE.h index 3e37cf4cf4..cbb08fabc1 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.h +++ b/src/packet_analysis/protocol/pppoe/PPPoE.h @@ -12,7 +12,7 @@ public: PPPoEAnalyzer(); ~PPPoEAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc index be3788f3fe..84fcfe28dd 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.cc +++ b/src/packet_analysis/protocol/vlan/VLAN.cc @@ -10,22 +10,20 @@ VLANAnalyzer::VLANAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; - - if ( pdata + 4 >= packet->GetEndOfData() ) + if ( data + 4 >= packet->GetEndOfData() ) { packet->Weird("truncated_VLAN_header"); return { AnalyzerResult::Failed, 0 }; } auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan; - vlan_ref = ((pdata[0] << 8u) + pdata[1]) & 0xfff; + vlan_ref = ((data[0] << 8u) + data[1]) & 0xfff; - uint32_t protocol = ((pdata[2] << 8u) + pdata[3]); + uint32_t protocol = ((data[2] << 8u) + data[3]); packet->eth_type = protocol; - pdata += 4; // Skip the VLAN header + data += 4; // Skip the VLAN header return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/vlan/VLAN.h b/src/packet_analysis/protocol/vlan/VLAN.h index 40868e5adf..94446c0766 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.h +++ b/src/packet_analysis/protocol/vlan/VLAN.h @@ -12,7 +12,7 @@ public: VLANAnalyzer(); ~VLANAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.cc b/src/packet_analysis/protocol/wrapper/Wrapper.cc index 8d91dd5ed8..eed1087acf 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.cc +++ b/src/packet_analysis/protocol/wrapper/Wrapper.cc @@ -10,38 +10,37 @@ WrapperAnalyzer::WrapperAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { // Unfortunately some packets on the link might have MPLS labels // while others don't. That means we need to ask the link-layer if // labels are in place. bool have_mpls = false; - auto pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); // Skip past Cisco FabricPath to encapsulated ethernet frame. - if ( pdata[12] == 0x89 && pdata[13] == 0x03 ) + if ( data[12] == 0x89 && data[13] == 0x03 ) { auto constexpr cfplen = 16; - if ( pdata + cfplen + 14 >= end_of_data ) + if ( data + cfplen + 14 >= end_of_data ) { packet->Weird("truncated_link_header_cfp"); return { AnalyzerResult::Failed, 0 }; } - pdata += cfplen; + data += cfplen; } // Extract protocol identifier - uint32_t protocol = (pdata[12] << 8u) + pdata[13]; + uint32_t protocol = (data[12] << 8u) + data[13]; packet->eth_type = protocol; - packet->l2_dst = pdata; - packet->l2_src = pdata + 6; + packet->l2_dst = data; + packet->l2_src = data + 6; - pdata += 14; + data += 14; bool saw_vlan = false; @@ -55,16 +54,16 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack case 0x8100: case 0x9100: { - if ( pdata + 4 >= end_of_data ) + if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); return { AnalyzerResult::Failed, 0 }; } auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan; - vlan_ref = ((pdata[0] << 8u) + pdata[1]) & 0xfff; - protocol = ((pdata[2] << 8u) + pdata[3]); - pdata += 4; // Skip the vlan header + vlan_ref = ((data[0] << 8u) + data[1]) & 0xfff; + protocol = ((data[2] << 8u) + data[3]); + data += 4; // Skip the vlan header saw_vlan = true; packet->eth_type = protocol; } @@ -73,14 +72,14 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack // PPPoE carried over the ethernet frame. case 0x8864: { - if ( pdata + 8 >= end_of_data ) + if ( data + 8 >= end_of_data ) { packet->Weird("truncated_link_header"); return { AnalyzerResult::Failed, 0 }; } - protocol = (pdata[6] << 8u) + pdata[7]; - pdata += 8; // Skip the PPPoE session and PPP header + protocol = (data[6] << 8u) + data[7]; + data += 8; // Skip the PPPoE session and PPP header if ( protocol == 0x0021 ) packet->l3_proto = L3_IPV4; @@ -125,24 +124,24 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack while ( ! end_of_stack ) { - if ( pdata + 4 >= end_of_data ) + if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); return { AnalyzerResult::Failed, 0 }; } - end_of_stack = *(pdata + 2u) & 0x01; - pdata += 4; + end_of_stack = *(data + 2u) & 0x01; + data += 4; } // We assume that what remains is IP - if ( pdata + sizeof(struct ip) >= end_of_data ) + if ( data + sizeof(struct ip) >= end_of_data ) { packet->Weird("no_ip_in_mpls_payload"); return { AnalyzerResult::Failed, 0 }; } - const struct ip* ip = (const struct ip*)pdata; + const struct ip* ip = (const struct ip*)data; if ( ip->ip_v == 4 ) packet->l3_proto = L3_IPV4; @@ -157,7 +156,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack } // Calculate how much header we've used up. - packet->hdr_size = (pdata - packet->data); + packet->hdr_size = (data - packet->data); return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.h b/src/packet_analysis/protocol/wrapper/Wrapper.h index 2fd8abbea0..38fb6ca268 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.h +++ b/src/packet_analysis/protocol/wrapper/Wrapper.h @@ -12,7 +12,7 @@ public: WrapperAnalyzer(); ~WrapperAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc index fdf313d518..f0588e7627 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc @@ -10,21 +10,20 @@ Bar::Bar() { } -zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); // Rudimentary parsing of 802.2 LLC - if ( pdata + 17 >= end_of_data ) + if ( data + 17 >= end_of_data ) { packet->Weird("truncated_llc_header"); return { AnalyzerResult::Failed, 0 }; } - auto dsap = pdata[14]; - auto ssap = pdata[15]; - auto control = pdata[16]; + auto dsap = data[14]; + auto ssap = data[15]; + auto control = data[16]; mgr.Enqueue(bar_message, val_mgr->Count(dsap), diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h index a125b1c8c2..83f0bf6ce9 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h @@ -10,7 +10,7 @@ public: Bar(); ~Bar() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static AnalyzerPtr Instantiate() {