packet_analysis: Introduce PacketAnalyzer::__disable_analyzer()

This adds machinery to the packet_analysis manager for disabling and enabling packet analyzers and implements two low-level bifs to use it. Extend Analyzer::enable_analyzer() and Analyzer::disable_analyzer() to transparently work with packet analyzers, too. This also allows to add packet analyzers to Analyzer::disabled_analyzers.
2025-10-11 19:18:19 +00:00 · 2022-09-29 14:36:18 +02:00 · 2022-09-29 14:36:18 +02:00 · af5a0215c0
commit af5a0215c0
parent 0d5c669c1c
12 changed files with 206 additions and 11 deletions
--- a/testing/btest/scripts/base/frameworks/analyzer/disabled-packet-analyzers.zeek
+++ b/testing/btest/scripts/base/frameworks/analyzer/disabled-packet-analyzers.zeek
@ -0,0 +1,21 @@
+# @TEST-DOC: Add a packet analyzer to Analyzer::disabled_analyzers and ensure it does not generate events (vxlan in this case).
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/vxlan.pcap %INPUT > output
+# @TEST-EXEC: btest-diff output
+#
+
+# Removing this line triggers vxlan events from all but the first two packets.
+redef Analyzer::disabled_analyzers += { PacketAnalyzer::ANALYZER_VXLAN };
+
+global all_packets = 0;
+
+event raw_packet(hdr: raw_pkt_hdr)
+	{
+	++all_packets;
+	print "packet", all_packets;
+	}
+
+# Should never run.
+event vxlan_packet(outer: connection, inner: pkt_hdr, vni: count)
+	{
+	print "vxlan_packet", outer$uid, "inner", inner$ip;
+	}
--- a/testing/btest/scripts/base/frameworks/analyzer/toggle-packet-analyzers.zeek
+++ b/testing/btest/scripts/base/frameworks/analyzer/toggle-packet-analyzers.zeek
@ -0,0 +1,30 @@
+# @TEST-DOC: Use Analyzer::disable_analyzer() and Analyzer::enable_analyzer() to disable the VXLAN packet analyzers at runtime based on total raw packet count.
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/vxlan.pcap %INPUT > output
+# @TEST-EXEC: btest-diff output
+#
+
+global all_packets = 0;
+
+event raw_packet(hdr: raw_pkt_hdr)
+	{
+	++all_packets;
+	print "packet", all_packets;
+
+	if ( all_packets == 4 )
+		{
+		local er = Analyzer::disable_analyzer(PacketAnalyzer::ANALYZER_VXLAN);
+		print "Analyzer::disable_analyzer(PacketAnalyzer::ANALYZER_VXLAN)", er;
+		}
+	# Packets 5 to 8 don't produce vxlan_packet events.
+
+	if ( all_packets == 8 )
+		{
+		local dr = Analyzer::enable_analyzer(PacketAnalyzer::ANALYZER_VXLAN);
+		print "Analyzer::enable_analyzer(PacketAnalyzer::ANALYZER_VXLAN)", dr;
+		}
+	}
+
+event vxlan_packet(outer: connection, inner: pkt_hdr, vni: count)
+	{
+	print "vxlan_packet", outer$uid, "inner", inner$ip;
+	}