Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Initial implementation of Lower-Level analyzers

Browse source
This commit is contained in:
Peter Oettig 2019-05-09 17:49:52 +02:00 committed by Tim Wojtulewicz
parent f744d4c070
commit b2e6c9ac9a
146 changed files with 3967 additions and 613 deletions
Download patch file Download diff file Expand all files Collapse all files

34
src/llanalyzer/protocol/linux_sll/LinuxSLL.cc Normal file
View file

@ -0,0 +1,34 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "LinuxSLL.h"
using namespace zeek::llanalyzer::LinuxSLL;
LinuxSLLAnalyzer::LinuxSLLAnalyzer()
: zeek::llanalyzer::Analyzer("LinuxSLL")
{
}
std::tuple<zeek::llanalyzer::AnalyzerResult, zeek::llanalyzer::identifier_t> LinuxSLLAnalyzer::Analyze(Packet* packet)
{
auto& pdata = packet->cur_pos;
if ( pdata + sizeof(SLLHeader) >= packet->GetEndOfData() )
{
packet->Weird("truncated_Linux_SLL_header");
return { AnalyzerResult::Failed, 0 };
}
//TODO: Handle different ARPHRD_types
auto hdr = (const SLLHeader*)pdata;
identifier_t protocol = ntohs(hdr->protocol_type);
packet->l2_src = (u_char*) &(hdr->addr);
// SLL doesn't include a destination address in the header, but not setting l2_dst to something
// here will cause crashes elsewhere.
packet->l2_dst = Packet::L2_EMPTY_ADDR;
pdata += sizeof(SLLHeader);
return { AnalyzerResult::Continue, protocol };
}