Move dispatching into packet analyzers.

WIP that updates only the Ethernet analyzer.
2025-10-08 09:38:19 +00:00 · 2020-08-19 16:36:09 +02:00 · 2020-08-19 16:36:09 +02:00 · 9feda100b9
commit 9feda100b9
parent 96d0e11bb8
13 changed files with 105 additions and 88 deletions
--- a/src/packet_analysis/protocol/ethernet/Ethernet.cc
+++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc
@ -10,7 +10,7 @@ EthernetAnalyzer::EthernetAnalyzer()
 	{
 	}

-zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
+zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
 	{
 	auto end_of_data = packet->GetEndOfData();

@ -19,7 +19,7 @@ zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* pac
 	if ( data + 16 >= end_of_data )
 		{
 		packet->Weird("truncated_ethernet_frame");
-		return { AnalyzerResult::Failed, 0 };
+		return AnalyzerResult::Failed;
 		}

 	// Skip past Cisco FabricPath to encapsulated ethernet frame.
@ -30,7 +30,7 @@ zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* pac
 		if ( data + cfplen + 14 >= end_of_data )
 			{
 			packet->Weird("truncated_link_header_cfp");
-			return { AnalyzerResult::Failed, 0 };
+			return AnalyzerResult::Failed;
 			}

 		data += cfplen;
@ -47,7 +47,7 @@ zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* pac
 	if ( protocol >= 1536 )
 		{
 		data += 14;
-		return { AnalyzerResult::Continue, protocol };
+		return AnalyzeInnerPacket(packet, data, protocol);
 		}

 	// Other ethernet frame types
@ -56,27 +56,28 @@ zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* pac
 		if ( data + 16 >= end_of_data )
 			{
 			packet->Weird("truncated_ethernet_frame");
-			return { AnalyzerResult::Failed, 0 };
+			return AnalyzerResult::Failed;
 			}

 		// In the following we use undefined EtherTypes to signal uncommon
 		// frame types. This allows specialized analyzers to take over.
 		// Note that pdata remains at the start of the ethernet frame.
+		//TODO: Lookup the analyzers on startup

 		// IEEE 802.2 SNAP
 		if ( data[14] == 0xAA && data[15] == 0xAA)
-			return { AnalyzerResult::Continue, 1502 };
+			return AnalyzeInnerPacket(packet, data, 1502);

 		// Novell raw IEEE 802.3
 		if ( data[14] == 0xFF && data[15] == 0xFF)
-			return { AnalyzerResult::Continue, 1503 };
+			return AnalyzeInnerPacket(packet, data, 1503);


 		// IEEE 802.2 LLC
-		return { AnalyzerResult::Continue, 1501 };
+		return AnalyzeInnerPacket(packet, data, 1501);
 		}

 	// Undefined (1500 < EtherType < 1536)
 	packet->Weird("undefined_ether_type");
-	return { AnalyzerResult::Failed, protocol };
+	return AnalyzerResult::Failed;
 	}
--- a/src/packet_analysis/protocol/ethernet/Ethernet.h
+++ b/src/packet_analysis/protocol/ethernet/Ethernet.h
@ -12,7 +12,7 @@ public:
 	EthernetAnalyzer();
 	~EthernetAnalyzer() override = default;

-	AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override;
+	AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;

 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{