Add support for DLT_LINUX_SLL2 PCAP link-type

src/packet_analysis/protocol/CMakeLists.txt

@@ -12,6 +12,7 @@ add_subdirectory(fddi)
 add_subdirectory(nflog)
 add_subdirectory(mpls)
 add_subdirectory(linux_sll)
+add_subdirectory(linux_sll2)
 
 add_subdirectory(arp)
 add_subdirectory(ip)

src/packet_analysis/protocol/linux_sll2/CMakeLists.txt

@@ -0,0 +1,8 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(PacketAnalyzer LinuxSLL2)
+zeek_plugin_cc(LinuxSLL2.cc Plugin.cc)
+zeek_plugin_end()

src/packet_analysis/protocol/linux_sll2/LinuxSLL2.cc

@@ -0,0 +1,30 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/linux_sll2/LinuxSLL2.h"
+
+using namespace zeek::packet_analysis::LinuxSLL2;
+
+LinuxSLL2Analyzer::LinuxSLL2Analyzer() : zeek::packet_analysis::Analyzer("LinuxSLL2") { }
+
+bool LinuxSLL2Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	auto len_sll2_hdr = sizeof(SLL2Header);
+	if ( len_sll2_hdr >= len )
+		{
+		Weird("truncated_Linux_SLL2_header", packet);
+		return false;
+		}
+
+	// Note: We assume to see an Ethertype and don't consider different ARPHRD_types
+	// (see https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL2.html)
+	auto hdr = (const SLL2Header*)data;
+
+	uint32_t protocol = ntohs(hdr->protocol_type);
+	packet->l2_src = (u_char*)&(hdr->addr);
+
+	// SLL doesn't include a destination address in the header, but not setting l2_dst to something
+	// here will cause crashes elsewhere.
+	packet->l2_dst = Packet::L2_EMPTY_ADDR;
+
+	return ForwardPacket(len - len_sll2_hdr, data + len_sll2_hdr, packet, protocol);
+	}

src/packet_analysis/protocol/linux_sll2/LinuxSLL2.h

@@ -0,0 +1,38 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::LinuxSLL2
+	{
+
+class LinuxSLL2Analyzer : public Analyzer
+	{
+public:
+	LinuxSLL2Analyzer();
+	~LinuxSLL2Analyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<LinuxSLL2Analyzer>();
+		}
+
+private:
+	// Structure layout is based on https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL2.html
+	struct SLL2Header
+		{
+		uint16_t protocol_type;
+		uint16_t reserved;
+		uint32_t interface_index;
+		uint16_t arphrd_type;
+		uint8_t packet_type;
+		uint8_t addr_len;
+		uint64_t addr;
+		} __attribute__((__packed__));
+	};
+
+	}

src/packet_analysis/protocol/linux_sll2/Plugin.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/linux_sll2/LinuxSLL2.h"
+
+namespace zeek::plugin::Zeek_LinuxSLL2
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"LinuxSLL2", zeek::packet_analysis::LinuxSLL2::LinuxSLL2Analyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::LinuxSLL2";
+		config.description = "Linux cooked capture version 2 (SLL2) packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}