Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 22:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'stu-h/erspan' of https://github.com/stu-h/zeek

Browse source 
* 'stu-h/erspan' of https://github.com/stu-h/zeek:
  Implement ERSPAN type II and ERSPAN type III support
This commit is contained in:
Jon Siwek 2019-01-17 18:01:21 -06:00
commit 995e67147a
1 changed files with 21 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

25
src/Sessions.cc
View file

@ -533,6 +533,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
unsigned int eth_len = 0; unsigned int eth_len = 0;
unsigned int gre_len = gre_header_len(flags_ver); unsigned int gre_len = gre_header_len(flags_ver);
unsigned int ppp_len = gre_version == 1 ? 4 : 0; unsigned int ppp_len = gre_version == 1 ? 4 : 0;
unsigned int erspan_len = 0;
if ( gre_version != 0 && gre_version != 1 ) if ( gre_version != 0 && gre_version != 1 )
{ {
@ -550,6 +551,22 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
proto_typ = ntohs(*((uint16*)(data + gre_len + 12))); proto_typ = ntohs(*((uint16*)(data + gre_len + 12)));
} }
if ( proto_typ == 0x88be && len > gre_len + 14 + 8)
{
// ERSPAN type II
erspan_len = 8;
eth_len = 14;
proto_typ = ntohs(*((uint16*)(data + gre_len + 20)));
}
if ( proto_typ == 0x22eb && len > gre_len + 14 + 12)
{
// ERSPAN type III
erspan_len = 12;
eth_len = 14;
proto_typ = ntohs(*((uint16*)(data + gre_len + 24)));
}
if ( proto_typ == 0x0800 ) if ( proto_typ == 0x0800 )
proto = IPPROTO_IPV4; proto = IPPROTO_IPV4;
else if ( proto_typ == 0x86dd ) else if ( proto_typ == 0x86dd )
@ -590,7 +607,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
return; return;
} }
if ( len < gre_len + ppp_len + eth_len || caplen < gre_len + ppp_len + eth_len ) if ( len < gre_len + ppp_len + eth_len + erspan_len || caplen < gre_len + ppp_len + eth_len + erspan_len )
{ {
Weird("truncated_GRE", ip_hdr, encapsulation); Weird("truncated_GRE", ip_hdr, encapsulation);
return; return;
@ -609,9 +626,9 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
proto = (ppp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6; proto = (ppp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6;
} }
data += gre_len + ppp_len + eth_len; data += gre_len + ppp_len + eth_len + erspan_len;
len -= gre_len + ppp_len + eth_len; len -= gre_len + ppp_len + eth_len + erspan_len;
caplen -= gre_len + ppp_len + eth_len; caplen -= gre_len + ppp_len + eth_len + erspan_len;
// Treat GRE tunnel like IP tunnels, fallthrough to logic below now // Treat GRE tunnel like IP tunnels, fallthrough to logic below now
// that GRE header is stripped and only payload packet remains. // that GRE header is stripped and only payload packet remains.