From 908b1a17d1b08a8473695316e56eb98f7b005cbd Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 15 Nov 2011 09:51:02 -0500
Subject: [PATCH 1/2] Adding PPPoE support to Bro.

- Still needs a small test tracefile and test.
---
 src/PktSrc.cc | 36 +++++++++++++++++++++++++++---------
 1 file changed, 27 insertions(+), 9 deletions(-)

diff --git a/src/PktSrc.cc b/src/PktSrc.cc
index 68b9785e6f..d86952a61f 100644
--- a/src/PktSrc.cc
+++ b/src/PktSrc.cc
@@ -208,16 +208,34 @@ void PktSrc::Process()
 		// Get protocol being carried from the ethernet frame.
 		protocol = (data[12] << 8) + data[13];
 
-		// MPLS carried over the ethernet frame.
-		if ( protocol == 0x8847 )
-			have_mpls = true;
-
-		// VLAN carried over ethernet frame.
-		else if ( protocol == 0x8100 )
+		switch ( protocol ) 
 			{
-			data += get_link_header_size(datalink);
-			data += 4; // Skip the vlan header
-			pkt_hdr_size = 0;
+			// MPLS carried over the ethernet frame.
+			case 0x8847:
+				have_mpls = true;
+				break;
+		
+			// VLAN carried over the ethernet frame.
+			case 0x8100:
+				data += get_link_header_size(datalink);
+				data += 4; // Skip the vlan header
+				pkt_hdr_size = 0;
+				break;
+			
+			// PPPoE carried over the ethernet frame.
+			case 0x8864:
+				data += get_link_header_size(datalink);
+				protocol = (data[6] << 8) + data[7];
+				data += 8; // Skip the PPPoE session and PPP header
+				pkt_hdr_size = 0;
+				if ( protocol != 0x0021 && protocol != 0x0057 )
+					{
+					// Neither IPv4 nor IPv6.
+					sessions->Weird("non_ip_packet_in_pppoe_encapsulation", &hdr, data);
+					data = 0;
+					return;
+					}
+				break;
 			}
 
 		break;

From 54084d0744e606c566053b9f793c0d3c8c8b93de Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 24 Oct 2012 01:05:01 -0400
Subject: [PATCH 2/2] Adding a test for PPPoE support.

---
 testing/btest/Baseline/core.pppoe/conn.log |  16 ++++++++++++++++
 testing/btest/Traces/pppoe.trace           | Bin 0 -> 6296 bytes
 testing/btest/core/pppoe.test              |   2 ++
 3 files changed, 18 insertions(+)
 create mode 100644 testing/btest/Baseline/core.pppoe/conn.log
 create mode 100644 testing/btest/Traces/pppoe.trace
 create mode 100644 testing/btest/core/pppoe.test

diff --git a/testing/btest/Baseline/core.pppoe/conn.log b/testing/btest/Baseline/core.pppoe/conn.log
new file mode 100644
index 0000000000..002b8a7ca0
--- /dev/null
+++ b/testing/btest/Baseline/core.pppoe/conn.log
@@ -0,0 +1,16 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-24-05-04-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1284385418.014560	TEfuqmmG4bh	fe80::c801:eff:fe88:8	547	fe80::ce05:eff:fe88:0	546	udp	-	0.096000	192	0	S0	-	0	D	2	288	0	0	(empty)
+1284385417.962560	j4u32Pc5bif	fe80::ce05:eff:fe88:0	546	ff02::1:2	547	udp	-	0.078000	114	0	S0	-	0	D	2	210	0	0	(empty)
+1284385411.091560	arKYeMETxOg	fe80::c801:eff:fe88:8	136	ff02::1	135	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	(empty)
+1284385411.035560	UWkUyAuUGXf	fe80::c801:eff:fe88:8	143	ff02::16	0	icmp	-	0.835000	160	0	OTH	-	0	-	8	608	0	0	(empty)
+1284385451.658560	FrJExwHcSal	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	-	0	-	5	500	5	500	(empty)
+1284385413.027560	nQcgTWjvg4c	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	(empty)
+1284385412.963560	k6kgXLOoSKl	fe80::ce05:eff:fe88:0	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	48	0	0	(empty)
+#close	2012-10-24-05-04-16
diff --git a/testing/btest/Traces/pppoe.trace b/testing/btest/Traces/pppoe.trace
new file mode 100644
index 0000000000000000000000000000000000000000..4de67175c36894bf7337311bb5240b6767a51832
GIT binary patch
literal 6296
zcmchbU2GIp6vxk<kNub~+uc%NTSeM#l@>v2Ewx#TDUC5TF@&h0pwTq+!xDqkmJ~73
zEJATDL5T^r@j;4-q=?a~FZy8I#KaIarVo8kfmmaVCGiO#BvM(=+4;EL<<3W$)*&;U
zxjXwi|MQ=F&YflE>rc-}pn$bi0WiFHWy2ef#;%k=E1uJy%WvPS(F{PQJ08ZN2*Vqh
z3`)<+kpy1bZp0ct6tP%3<y(fV0J4Jk#kz$ohJxB3+x9q9AhxwseJxOX^y)8-UtIq8
z;FnLOk(KzIvvi83t70*%!^o=Jq~}LD7U}ARxOZK|x>h4wITq;Zi374C*=o#EQv>S!
z%x+t=@B?C9s8uXhfi9g@o@bRYMV*nAY*G!d`R}fan8ZpqII>We<XP9`G-nBN)Uwqw
zgAnSvBvQl2NEiIcSvEOJKsjD=&vD{9X9;wnUy^55OS5WuFJP5rllUBCYWLou?*00a
z=e6+cRm^d^Cup$*IR>*y^j=-~E%7<Ac2tF&Sdnyoe#rq%FJUnVM~T(-fab)Cr8_al
zDAO*mXzoS^LUu4>&28r_fnSy`JBB&#fo19XLCxzjzk1VOVh!wZ(?#>%n_n(0)P*dM
ze$5W?zABg#=oi*dUY8WRDX|3ulw)Yjk!9)f;#a8Lrmq_P3+I>QMb{CU6QcloP%G_%
z9JfQ~^OQ*~up4PQ0WfD;PSUT9<LVTsIKtpfc;_IF;i7=6QQ<ujMVxqh86pk~BQnTG
zY&*LQ5eKb^3%ddXnR2}L$udOz!-~jVWjU;Qia6QJU?<){yWlyt8_zM3%DFs8mVq5d
z(nu-3kD?_0VNTr$D+0T>hl(Ipf6TG!quJ^(g9xp`c55bz#En>)XE;lcJ+d@p5yu1T
zqV_*m#IE0#A)@2_oVprW`Wzi=aH3<y(nqwdh@&_s=01zU!#F=^7p!)TMn!~pMVP&}
zxND8TnR7JLMvyxBoL*y#uQRir%qYj;&_`_$v{r1DUgtrbc^#v`R1{vsE7}FxdkpQV
zxK+(2wLm-eKdDAaLaOpvHeY)l-wq`83btqsWMF!oKmh+$z#2&4F#_TIj|vh3qo`xH
z1pu38eizi$TZWE)uESg%inEoHQVsNPos~!j_6Smt&n#4=Cjq6(-hts}<v{Py0l9ns
zK0smhhOh@w%S%v+BLFYc-ZGCzz$M+>NcF(G0LO5Ec7c0?hUyNk+R?p^!EfaGzlX^^
z1lqY*n3KrMkJ*xX*;gJURfTa2)%o=DIC?q#tK)mI(WR-YI{#WCRyx7oiv`cc=+eY-
zW}QIR$q)GZl$aHkysRF?s{5U@1hbrUA<KRBI7K<0;yH?0q|4neVohJ<EOCyc%iXUr
zWKFb|S}V7h6_&mDHIA&zTASbE`uivOg)Dc!P9tmXNuHyPUk1y0P7rJA1ZRnJBwg-)
zy@#y+l;i&q(7ac?_(iPA-JB)PQA3uyU+0iD9t~U1QOqJ;?(>US4Uce^jbBEN&fcF#
zRyv|#XQu8f?74l=*@d4#YpSiFV>4j+Yx+#zSQ>tQXx$iIFiBR_Krj^6N+K(wrLlO~
z%JNmK*CZ+`Z@Yc%9qX#9Ym&8h-nG82e#6}xH{G+j;oipkNXf(#C6*F_L&ZwWxEQZk
z*<tv}my%tVxe|fD#Y)UoOz26r9z9{VU`Z2sQWc9VnI~WQQgU)VSK`-`vr+U!TKp_&
z+CrXmZRSe+&Xf0jDVb~MO8k0q{4exGUUcC!ZD}S?26l2KemxoWr6ktJmH74Kg&)xq
zWwE^kExDgOncc^g`1NGqmX&;nO5kb!E++7V)+E)-nnbMr)0`#9iq>#sxvxq80e!98
AiU0rr

literal 0
HcmV?d00001

diff --git a/testing/btest/core/pppoe.test b/testing/btest/core/pppoe.test
new file mode 100644
index 0000000000..35be84d657
--- /dev/null
+++ b/testing/btest/core/pppoe.test
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/pppoe.trace %INPUT 
+# @TEST-EXEC: btest-diff conn.log