Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'mnhsrj/innerPktResults'

Browse source 
* mnhsrj/innerPktResults:
  Set original/outer packet flags to reflect inner packet results
This commit is contained in:
Tim Wojtulewicz 2025-02-20 16:40:19 -07:00
commit bcecc6ea51
5 changed files with 23 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

7
CHANGES
View file

@ -1,3 +1,10 @@
7.2.0-dev.212 | 2025-02-20 16:40:19 -0700
* Set original/outer packet flags to reflect inner packet results (mnhsrj)
Propagate inner packet flags such as 'processed', 'dump_packet', 'dump_size'
to outer packet for packets involving tunneled data.
7.2.0-dev.210 | 2025-02-20 15:35:21 -0700
* Also trim trailing spaces in `to_count`/`to_int` inputs (Benjamin Bannier, Corelight)

2
VERSION
View file

@ -1 +1 @@
7.2.0-dev.210
7.2.0-dev.212

1
src/iosource/Packet.cc
View file

@ -46,6 +46,7 @@ void Packet::Init(int arg_link_type, pkt_timeval* arg_ts, uint32_t arg_caplen, u
data = arg_data;
dump_packet = false;
dump_size = 0;
time = ts.tv_sec + double(ts.tv_usec) / 1e6;
eth_type = 0;

14
src/packet_analysis/protocol/iptunnel/IPTunnel.cc
View file

@ -78,7 +78,7 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
/**
* Handles a packet that contains an IP header directly after the tunnel header.
*/
bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, const std::shared_ptr<IP_Hdr>& inner,
bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, Packet* pkt, const std::shared_ptr<IP_Hdr>& inner,
std::shared_ptr<EncapsulationStack> prev,
const EncapsulatingConn& ec) {
uint32_t caplen, len;
@ -113,13 +113,18 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, co
// Forward the packet back to the IP analyzer.
bool return_val = ForwardPacket(len, data, &p);
// Propagate the flags from fake inner packet to outer packet
pkt->processed = p.processed;
pkt->dump_packet = p.dump_packet;
pkt->dump_size = (p.dump_size > 0) ? static_cast<int>(data - pkt->data) + p.dump_size : p.dump_size;
return return_val;
}
/**
* Handles a packet that contains a physical-layer header after the tunnel header.
*/
bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, uint32_t caplen, uint32_t len,
bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, Packet* pkt, uint32_t caplen, uint32_t len,
const u_char* data, int link_type,
std::shared_ptr<EncapsulationStack> prev,
const EncapsulatingConn& ec) {
@ -145,6 +150,11 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, ui
// to the packet manager.
bool return_val = packet_mgr->ProcessInnerPacket(&p);
// Propagate the flags from fake inner packet to outer packet
pkt->processed = p.processed;
pkt->dump_packet = p.dump_packet;
pkt->dump_size = (p.dump_size > 0) ? static_cast<int>(data - pkt->data) + p.dump_size : p.dump_size;
return return_val;
}

4
src/packet_analysis/protocol/iptunnel/IPTunnel.h
View file

@ -37,7 +37,7 @@ public:
* the most-recently found depth of encapsulation.
* @param ec The most-recently found depth of encapsulation.
*/
bool ProcessEncapsulatedPacket(double t, const Packet* pkt, const std::shared_ptr<IP_Hdr>& inner,
bool ProcessEncapsulatedPacket(double t, Packet* pkt, const std::shared_ptr<IP_Hdr>& inner,
std::shared_ptr<EncapsulationStack> prev, const EncapsulatingConn& ec);
/**
@ -56,7 +56,7 @@ public:
* including the most-recently found depth of encapsulation.
* @param ec The most-recently found depth of encapsulation.
*/
bool ProcessEncapsulatedPacket(double t, const Packet* pkt, uint32_t caplen, uint32_t len, const u_char* data,
bool ProcessEncapsulatedPacket(double t, Packet* pkt, uint32_t caplen, uint32_t len, const u_char* data,
int link_type, std::shared_ptr<EncapsulationStack> prev,
const EncapsulatingConn& ec);