mirror of
https://github.com/zeek/zeek.git
synced 2025-10-07 09:08:20 +00:00
Remove packet_analysis/Defines.h
- Replace uses of identifier_t with uint32_t - Replace repeated usage of tuple type for Analysis results with type alias
This commit is contained in:
Tim Wojtulewicz
parent
b46e600775
commit
c2500d03d6
42 changed files with 66 additions and 80 deletions
|
|
@ -1,7 +1,6 @@
|
||||||
// See the file "COPYING" in the main distribution directory for copyright.
|
// See the file "COPYING" in the main distribution directory for copyright.
|
||||||
#pragma once
|
#pragma once
|
||||||
|
|
||||||
#include "Defines.h"
|
|
||||||
#include "Manager.h"
|
#include "Manager.h"
|
||||||
#include "Tag.h"
|
#include "Tag.h"
|
||||||
#include <iosource/Packet.h>
|
#include <iosource/Packet.h>
|
||||||
|
|
@ -17,7 +16,7 @@ enum class AnalyzerResult {
|
||||||
Terminate // Analysis succeeded and there is no further analysis to do
|
Terminate // Analysis succeeded and there is no further analysis to do
|
||||||
};
|
};
|
||||||
|
|
||||||
using AnalysisResultTuple = std::tuple<AnalyzerResult, identifier_t>;
|
using AnalysisResultTuple = std::tuple<AnalyzerResult, uint32_t>;
|
||||||
|
|
||||||
class Analyzer {
|
class Analyzer {
|
||||||
public:
|
public:
|
||||||
|
|
@ -75,7 +74,7 @@ public:
|
||||||
* how to proceed. If analysis can continue, the identifier determines the
|
* how to proceed. If analysis can continue, the identifier determines the
|
||||||
* encapsulated protocol.
|
* encapsulated protocol.
|
||||||
*/
|
*/
|
||||||
virtual std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) = 0;
|
virtual AnalysisResultTuple Analyze(Packet* packet) = 0;
|
||||||
|
|
||||||
protected:
|
protected:
|
||||||
friend class Manager;
|
friend class Manager;
|
||||||
|
|
|
||||||
|
|
@ -14,12 +14,12 @@ const std::string& DispatcherConfig::GetName() const
|
||||||
return name;
|
return name;
|
||||||
}
|
}
|
||||||
|
|
||||||
const std::map<identifier_t, std::string>& DispatcherConfig::GetMappings() const
|
const std::map<uint32_t, std::string>& DispatcherConfig::GetMappings() const
|
||||||
{
|
{
|
||||||
return mappings;
|
return mappings;
|
||||||
}
|
}
|
||||||
|
|
||||||
void DispatcherConfig::AddMapping(identifier_t identifier,
|
void DispatcherConfig::AddMapping(uint32_t identifier,
|
||||||
const std::string& analyzer_name)
|
const std::string& analyzer_name)
|
||||||
{
|
{
|
||||||
DBG_LOG(DBG_PACKET_ANALYSIS, "Adding configuration mapping: %s -> %#x -> %s",
|
DBG_LOG(DBG_PACKET_ANALYSIS, "Adding configuration mapping: %s -> %#x -> %s",
|
||||||
|
|
@ -71,7 +71,7 @@ DispatcherConfig& Config::AddDispatcherConfig(const std::string& name)
|
||||||
return dispatchers.emplace_back(name);
|
return dispatchers.emplace_back(name);
|
||||||
}
|
}
|
||||||
|
|
||||||
void Config::AddMapping(const std::string& name, identifier_t identifier,
|
void Config::AddMapping(const std::string& name, uint32_t identifier,
|
||||||
const std::string& analyzer_name)
|
const std::string& analyzer_name)
|
||||||
{
|
{
|
||||||
// Create dispatcher config if it does not exist yet
|
// Create dispatcher config if it does not exist yet
|
||||||
|
|
|
||||||
|
|
@ -8,8 +8,6 @@
|
||||||
#include <utility>
|
#include <utility>
|
||||||
#include <vector>
|
#include <vector>
|
||||||
|
|
||||||
#include "Defines.h"
|
|
||||||
|
|
||||||
namespace zeek::packet_analysis {
|
namespace zeek::packet_analysis {
|
||||||
|
|
||||||
class DispatcherConfig {
|
class DispatcherConfig {
|
||||||
|
|
@ -17,16 +15,16 @@ public:
|
||||||
explicit DispatcherConfig(const std::string name) : name(std::move(name)) { }
|
explicit DispatcherConfig(const std::string name) : name(std::move(name)) { }
|
||||||
|
|
||||||
const std::string& GetName() const;
|
const std::string& GetName() const;
|
||||||
const std::map<identifier_t, std::string>& GetMappings() const;
|
const std::map<uint32_t, std::string>& GetMappings() const;
|
||||||
|
|
||||||
void AddMapping(identifier_t identifier, const std::string& analyzer_name);
|
void AddMapping(uint32_t identifier, const std::string& analyzer_name);
|
||||||
|
|
||||||
bool operator==(const DispatcherConfig& rhs) const;
|
bool operator==(const DispatcherConfig& rhs) const;
|
||||||
bool operator!=(const DispatcherConfig& rhs) const;
|
bool operator!=(const DispatcherConfig& rhs) const;
|
||||||
|
|
||||||
private:
|
private:
|
||||||
const std::string name;
|
const std::string name;
|
||||||
std::map<identifier_t, std::string> mappings;
|
std::map<uint32_t, std::string> mappings;
|
||||||
};
|
};
|
||||||
|
|
||||||
class Config {
|
class Config {
|
||||||
|
|
@ -35,7 +33,7 @@ public:
|
||||||
const std::vector<DispatcherConfig>& GetDispatchers() const;
|
const std::vector<DispatcherConfig>& GetDispatchers() const;
|
||||||
std::optional<std::reference_wrapper<DispatcherConfig>> GetDispatcherConfig(const std::string& name);
|
std::optional<std::reference_wrapper<DispatcherConfig>> GetDispatcherConfig(const std::string& name);
|
||||||
DispatcherConfig& AddDispatcherConfig(const std::string& name);
|
DispatcherConfig& AddDispatcherConfig(const std::string& name);
|
||||||
void AddMapping(const std::string& name, identifier_t identifier, const std::string& analyzer_name);
|
void AddMapping(const std::string& name, uint32_t identifier, const std::string& analyzer_name);
|
||||||
|
|
||||||
private:
|
private:
|
||||||
std::vector<DispatcherConfig> dispatchers;
|
std::vector<DispatcherConfig> dispatchers;
|
||||||
|
|
|
||||||
|
|
@ -1,11 +0,0 @@
|
||||||
// See the file "COPYING" in the main distribution directory for copyright.
|
|
||||||
|
|
||||||
#pragma once
|
|
||||||
|
|
||||||
#include <cstdint>
|
|
||||||
|
|
||||||
namespace zeek::packet_analysis {
|
|
||||||
|
|
||||||
using identifier_t = uint32_t;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
@ -11,7 +11,7 @@ Dispatcher::~Dispatcher()
|
||||||
FreeValues();
|
FreeValues();
|
||||||
}
|
}
|
||||||
|
|
||||||
bool Dispatcher::Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher)
|
bool Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher)
|
||||||
{
|
{
|
||||||
// If the table has size 1 and the entry is nullptr, there was nothing added yet. Just add it.
|
// If the table has size 1 and the entry is nullptr, there was nothing added yet. Just add it.
|
||||||
if ( table.size() == 1 && table[0] == nullptr )
|
if ( table.size() == 1 && table[0] == nullptr )
|
||||||
|
|
@ -29,7 +29,7 @@ bool Dispatcher::Register(identifier_t identifier, AnalyzerPtr analyzer, Dispatc
|
||||||
else if ( identifier < lowest_identifier )
|
else if ( identifier < lowest_identifier )
|
||||||
{
|
{
|
||||||
// Lower than the lowest registered identifier. Shift up by lowerBound - identifier
|
// Lower than the lowest registered identifier. Shift up by lowerBound - identifier
|
||||||
identifier_t distance = lowest_identifier - identifier;
|
uint32_t distance = lowest_identifier - identifier;
|
||||||
table.resize(table.size() + distance, nullptr);
|
table.resize(table.size() + distance, nullptr);
|
||||||
|
|
||||||
// Shift values
|
// Shift values
|
||||||
|
|
@ -77,7 +77,7 @@ void Dispatcher::Register(const register_map& data)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ValuePtr Dispatcher::Lookup(identifier_t identifier) const
|
ValuePtr Dispatcher::Lookup(uint32_t identifier) const
|
||||||
{
|
{
|
||||||
int64_t index = identifier - lowest_identifier;
|
int64_t index = identifier - lowest_identifier;
|
||||||
if ( index >= 0 && index < static_cast<int64_t>(table.size()) && table[index] != nullptr )
|
if ( index >= 0 && index < static_cast<int64_t>(table.size()) && table[index] != nullptr )
|
||||||
|
|
|
||||||
|
|
@ -11,8 +11,8 @@ namespace zeek::packet_analysis {
|
||||||
class Dispatcher; // Forward decl for Value
|
class Dispatcher; // Forward decl for Value
|
||||||
using DispatcherPtr = std::shared_ptr<Dispatcher>;
|
using DispatcherPtr = std::shared_ptr<Dispatcher>;
|
||||||
|
|
||||||
using register_pair = std::pair<identifier_t, std::pair<AnalyzerPtr, DispatcherPtr>>;
|
using register_pair = std::pair<uint32_t, std::pair<AnalyzerPtr, DispatcherPtr>>;
|
||||||
using register_map = std::map<identifier_t, std::pair<AnalyzerPtr, DispatcherPtr>>;
|
using register_map = std::map<uint32_t, std::pair<AnalyzerPtr, DispatcherPtr>>;
|
||||||
|
|
||||||
class Value {
|
class Value {
|
||||||
public:
|
public:
|
||||||
|
|
@ -35,22 +35,22 @@ public:
|
||||||
|
|
||||||
~Dispatcher();
|
~Dispatcher();
|
||||||
|
|
||||||
bool Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher);
|
bool Register(uint32_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher);
|
||||||
void Register(const register_map& data);
|
void Register(const register_map& data);
|
||||||
|
|
||||||
ValuePtr Lookup(identifier_t identifier) const;
|
ValuePtr Lookup(uint32_t identifier) const;
|
||||||
|
|
||||||
size_t Size() const;
|
size_t Size() const;
|
||||||
void Clear();
|
void Clear();
|
||||||
void DumpDebug() const;
|
void DumpDebug() const;
|
||||||
|
|
||||||
private:
|
private:
|
||||||
identifier_t lowest_identifier = 0;
|
uint32_t lowest_identifier = 0;
|
||||||
std::vector<ValuePtr> table;
|
std::vector<ValuePtr> table;
|
||||||
|
|
||||||
void FreeValues();
|
void FreeValues();
|
||||||
|
|
||||||
inline identifier_t GetHighestIdentifier() const
|
inline uint32_t GetHighestIdentifier() const
|
||||||
{
|
{
|
||||||
return lowest_identifier + table.size() - 1;
|
return lowest_identifier + table.size() - 1;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -149,7 +149,7 @@ void Manager::ProcessPacket(Packet* packet)
|
||||||
|
|
||||||
// Dispatch and analyze layers
|
// Dispatch and analyze layers
|
||||||
AnalyzerResult result = AnalyzerResult::Continue;
|
AnalyzerResult result = AnalyzerResult::Continue;
|
||||||
identifier_t next_layer_id = packet->link_type;
|
uint32_t next_layer_id = packet->link_type;
|
||||||
do
|
do
|
||||||
{
|
{
|
||||||
auto current_analyzer = Dispatch(next_layer_id);
|
auto current_analyzer = Dispatch(next_layer_id);
|
||||||
|
|
@ -224,7 +224,7 @@ void Manager::CustomEncapsulationSkip(Packet* packet)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
AnalyzerPtr Manager::Dispatch(identifier_t identifier)
|
AnalyzerPtr Manager::Dispatch(uint32_t identifier)
|
||||||
{
|
{
|
||||||
// Because leaf nodes (aka no more dispatching) can still have an existing analyzer that returns more identifiers,
|
// Because leaf nodes (aka no more dispatching) can still have an existing analyzer that returns more identifiers,
|
||||||
// current_state needs to be checked to be not null. In this case there would have been an analyzer dispatched
|
// current_state needs to be checked to be not null. In this case there would have been an analyzer dispatched
|
||||||
|
|
|
||||||
|
|
@ -97,7 +97,7 @@ private:
|
||||||
*/
|
*/
|
||||||
void CustomEncapsulationSkip(Packet* packet);
|
void CustomEncapsulationSkip(Packet* packet);
|
||||||
|
|
||||||
AnalyzerPtr Dispatch(identifier_t identifier);
|
AnalyzerPtr Dispatch(uint32_t identifier);
|
||||||
|
|
||||||
DispatcherPtr GetDispatcher(Config& configuration, const std::string& dispatcher_name);
|
DispatcherPtr GetDispatcher(Config& configuration, const std::string& dispatcher_name);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ ARPAnalyzer::ARPAnalyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> ARPAnalyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple ARPAnalyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
// TODO: Make ARP analyzer a native packet analyzer
|
// TODO: Make ARP analyzer a native packet analyzer
|
||||||
packet->l3_proto = L3_ARP;
|
packet->l3_proto = L3_ARP;
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
ARPAnalyzer();
|
ARPAnalyzer();
|
||||||
~ARPAnalyzer() override = default;
|
~ARPAnalyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ DefaultAnalyzer::DefaultAnalyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> DefaultAnalyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple DefaultAnalyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
auto& pdata = packet->cur_pos;
|
auto& pdata = packet->cur_pos;
|
||||||
|
|
||||||
|
|
@ -22,7 +22,7 @@ std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identif
|
||||||
}
|
}
|
||||||
|
|
||||||
auto ip = (const struct ip *)pdata;
|
auto ip = (const struct ip *)pdata;
|
||||||
identifier_t protocol = ip->ip_v;
|
uint32_t protocol = ip->ip_v;
|
||||||
|
|
||||||
return { AnalyzerResult::Continue, protocol };
|
return { AnalyzerResult::Continue, protocol };
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
DefaultAnalyzer();
|
DefaultAnalyzer();
|
||||||
~DefaultAnalyzer() override = default;
|
~DefaultAnalyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ EthernetAnalyzer::EthernetAnalyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> EthernetAnalyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
auto& pdata = packet->cur_pos;
|
auto& pdata = packet->cur_pos;
|
||||||
auto end_of_data = packet->GetEndOfData();
|
auto end_of_data = packet->GetEndOfData();
|
||||||
|
|
@ -38,7 +38,7 @@ std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identif
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get protocol being carried from the ethernet frame.
|
// Get protocol being carried from the ethernet frame.
|
||||||
identifier_t protocol = (pdata[12] << 8) + pdata[13];
|
uint32_t protocol = (pdata[12] << 8) + pdata[13];
|
||||||
|
|
||||||
packet->eth_type = protocol;
|
packet->eth_type = protocol;
|
||||||
packet->l2_dst = pdata;
|
packet->l2_dst = pdata;
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
EthernetAnalyzer();
|
EthernetAnalyzer();
|
||||||
~EthernetAnalyzer() override = default;
|
~EthernetAnalyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ FDDIAnalyzer::FDDIAnalyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> FDDIAnalyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple FDDIAnalyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
auto& pdata = packet->cur_pos;
|
auto& pdata = packet->cur_pos;
|
||||||
auto hdr_size = 13 + 8; // FDDI header + LLC
|
auto hdr_size = 13 + 8; // FDDI header + LLC
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
FDDIAnalyzer();
|
FDDIAnalyzer();
|
||||||
~FDDIAnalyzer() override = default;
|
~FDDIAnalyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ IEEE802_11Analyzer::IEEE802_11Analyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> IEEE802_11Analyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
auto& pdata = packet->cur_pos;
|
auto& pdata = packet->cur_pos;
|
||||||
auto end_of_data = packet->GetEndOfData();
|
auto end_of_data = packet->GetEndOfData();
|
||||||
|
|
@ -106,7 +106,7 @@ std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identif
|
||||||
return { AnalyzerResult::Failed, 0 };
|
return { AnalyzerResult::Failed, 0 };
|
||||||
}
|
}
|
||||||
|
|
||||||
identifier_t protocol = (pdata[0] << 8) + pdata[1];
|
uint32_t protocol = (pdata[0] << 8) + pdata[1];
|
||||||
pdata += 2;
|
pdata += 2;
|
||||||
|
|
||||||
return { AnalyzerResult::Continue, protocol };
|
return { AnalyzerResult::Continue, protocol };
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
IEEE802_11Analyzer();
|
IEEE802_11Analyzer();
|
||||||
~IEEE802_11Analyzer() override = default;
|
~IEEE802_11Analyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> IEEE802_11_RadioAnalyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
auto pdata = packet->cur_pos;
|
auto pdata = packet->cur_pos;
|
||||||
auto end_of_data = packet->GetEndOfData();
|
auto end_of_data = packet->GetEndOfData();
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
IEEE802_11_RadioAnalyzer();
|
IEEE802_11_RadioAnalyzer();
|
||||||
~IEEE802_11_RadioAnalyzer() override = default;
|
~IEEE802_11_RadioAnalyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ IPv4Analyzer::IPv4Analyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> IPv4Analyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple IPv4Analyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
packet->l3_proto = L3_IPV4;
|
packet->l3_proto = L3_IPV4;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
IPv4Analyzer();
|
IPv4Analyzer();
|
||||||
~IPv4Analyzer() override = default;
|
~IPv4Analyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ IPv6Analyzer::IPv6Analyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> IPv6Analyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple IPv6Analyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
packet->l3_proto = L3_IPV6;
|
packet->l3_proto = L3_IPV6;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
IPv6Analyzer();
|
IPv6Analyzer();
|
||||||
~IPv6Analyzer() override = default;
|
~IPv6Analyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static AnalyzerPtr Instantiate()
|
static AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ LinuxSLLAnalyzer::LinuxSLLAnalyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> LinuxSLLAnalyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
auto& pdata = packet->cur_pos;
|
auto& pdata = packet->cur_pos;
|
||||||
|
|
||||||
|
|
@ -22,7 +22,7 @@ std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identif
|
||||||
//TODO: Handle different ARPHRD_types
|
//TODO: Handle different ARPHRD_types
|
||||||
auto hdr = (const SLLHeader*)pdata;
|
auto hdr = (const SLLHeader*)pdata;
|
||||||
|
|
||||||
identifier_t protocol = ntohs(hdr->protocol_type);
|
uint32_t protocol = ntohs(hdr->protocol_type);
|
||||||
packet->l2_src = (u_char*) &(hdr->addr);
|
packet->l2_src = (u_char*) &(hdr->addr);
|
||||||
|
|
||||||
// SLL doesn't include a destination address in the header, but not setting l2_dst to something
|
// SLL doesn't include a destination address in the header, but not setting l2_dst to something
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
LinuxSLLAnalyzer();
|
LinuxSLLAnalyzer();
|
||||||
~LinuxSLLAnalyzer() override = default;
|
~LinuxSLLAnalyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ MPLSAnalyzer::MPLSAnalyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> MPLSAnalyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
auto& pdata = packet->cur_pos;
|
auto& pdata = packet->cur_pos;
|
||||||
auto end_of_data = packet->GetEndOfData();
|
auto end_of_data = packet->GetEndOfData();
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
MPLSAnalyzer();
|
MPLSAnalyzer();
|
||||||
~MPLSAnalyzer() override = default;
|
~MPLSAnalyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -10,12 +10,12 @@ NFLogAnalyzer::NFLogAnalyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> NFLogAnalyzer::Analyze(Packet* packet) {
|
zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet) {
|
||||||
auto& pdata = packet->cur_pos;
|
auto& pdata = packet->cur_pos;
|
||||||
auto end_of_data = packet->GetEndOfData();
|
auto end_of_data = packet->GetEndOfData();
|
||||||
|
|
||||||
// See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html
|
// See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html
|
||||||
identifier_t protocol = pdata[0];
|
uint32_t protocol = pdata[0];
|
||||||
uint8_t version = pdata[1];
|
uint8_t version = pdata[1];
|
||||||
|
|
||||||
if ( version != 0 )
|
if ( version != 0 )
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
NFLogAnalyzer();
|
NFLogAnalyzer();
|
||||||
~NFLogAnalyzer() override = default;
|
~NFLogAnalyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static AnalyzerPtr Instantiate()
|
static AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ NullAnalyzer::NullAnalyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> NullAnalyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple NullAnalyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
auto& pdata = packet->cur_pos;
|
auto& pdata = packet->cur_pos;
|
||||||
|
|
||||||
|
|
@ -20,7 +20,7 @@ std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identif
|
||||||
return { AnalyzerResult::Failed, 0 };
|
return { AnalyzerResult::Failed, 0 };
|
||||||
}
|
}
|
||||||
|
|
||||||
identifier_t protocol = (pdata[3] << 24) + (pdata[2] << 16) + (pdata[1] << 8) + pdata[0];
|
uint32_t protocol = (pdata[3] << 24) + (pdata[2] << 16) + (pdata[1] << 8) + pdata[0];
|
||||||
pdata += 4; // skip link header
|
pdata += 4; // skip link header
|
||||||
|
|
||||||
return { AnalyzerResult::Continue, protocol };
|
return { AnalyzerResult::Continue, protocol };
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
NullAnalyzer();
|
NullAnalyzer();
|
||||||
~NullAnalyzer() override = default;
|
~NullAnalyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -10,12 +10,12 @@ PPPSerialAnalyzer::PPPSerialAnalyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> PPPSerialAnalyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple PPPSerialAnalyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
auto& pdata = packet->cur_pos;
|
auto& pdata = packet->cur_pos;
|
||||||
|
|
||||||
// Extract protocol identifier
|
// Extract protocol identifier
|
||||||
identifier_t protocol = (pdata[2] << 8) + pdata[3];
|
uint32_t protocol = (pdata[2] << 8) + pdata[3];
|
||||||
pdata += 4; // skip link header
|
pdata += 4; // skip link header
|
||||||
|
|
||||||
return { AnalyzerResult::Continue, protocol };
|
return { AnalyzerResult::Continue, protocol };
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
PPPSerialAnalyzer();
|
PPPSerialAnalyzer();
|
||||||
~PPPSerialAnalyzer() override = default;
|
~PPPSerialAnalyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ PPPoEAnalyzer::PPPoEAnalyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> PPPoEAnalyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple PPPoEAnalyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
auto& pdata = packet->cur_pos;
|
auto& pdata = packet->cur_pos;
|
||||||
|
|
||||||
|
|
@ -21,7 +21,7 @@ std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identif
|
||||||
}
|
}
|
||||||
|
|
||||||
// Extract protocol identifier
|
// Extract protocol identifier
|
||||||
identifier_t protocol = (pdata[6] << 8u) + pdata[7];
|
uint32_t protocol = (pdata[6] << 8u) + pdata[7];
|
||||||
pdata += 8; // Skip the PPPoE session and PPP header
|
pdata += 8; // Skip the PPPoE session and PPP header
|
||||||
|
|
||||||
return { AnalyzerResult::Continue, protocol };
|
return { AnalyzerResult::Continue, protocol };
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
PPPoEAnalyzer();
|
PPPoEAnalyzer();
|
||||||
~PPPoEAnalyzer() override = default;
|
~PPPoEAnalyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ VLANAnalyzer::VLANAnalyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> VLANAnalyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
auto& pdata = packet->cur_pos;
|
auto& pdata = packet->cur_pos;
|
||||||
|
|
||||||
|
|
@ -23,7 +23,7 @@ std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identif
|
||||||
auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan;
|
auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan;
|
||||||
vlan_ref = ((pdata[0] << 8u) + pdata[1]) & 0xfff;
|
vlan_ref = ((pdata[0] << 8u) + pdata[1]) & 0xfff;
|
||||||
|
|
||||||
identifier_t protocol = ((pdata[2] << 8u) + pdata[3]);
|
uint32_t protocol = ((pdata[2] << 8u) + pdata[3]);
|
||||||
packet->eth_type = protocol;
|
packet->eth_type = protocol;
|
||||||
pdata += 4; // Skip the VLAN header
|
pdata += 4; // Skip the VLAN header
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
VLANAnalyzer();
|
VLANAnalyzer();
|
||||||
~VLANAnalyzer() override = default;
|
~VLANAnalyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ WrapperAnalyzer::WrapperAnalyzer()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> WrapperAnalyzer::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
// Unfortunately some packets on the link might have MPLS labels
|
// Unfortunately some packets on the link might have MPLS labels
|
||||||
// while others don't. That means we need to ask the link-layer if
|
// while others don't. That means we need to ask the link-layer if
|
||||||
|
|
@ -35,7 +35,7 @@ std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identif
|
||||||
}
|
}
|
||||||
|
|
||||||
// Extract protocol identifier
|
// Extract protocol identifier
|
||||||
identifier_t protocol = (pdata[12] << 8u) + pdata[13];
|
uint32_t protocol = (pdata[12] << 8u) + pdata[13];
|
||||||
|
|
||||||
packet->eth_type = protocol;
|
packet->eth_type = protocol;
|
||||||
packet->l2_dst = pdata;
|
packet->l2_dst = pdata;
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ public:
|
||||||
WrapperAnalyzer();
|
WrapperAnalyzer();
|
||||||
~WrapperAnalyzer() override = default;
|
~WrapperAnalyzer() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ Bar::Bar()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identifier_t> Bar::Analyze(Packet* packet)
|
zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet)
|
||||||
{
|
{
|
||||||
auto& pdata = packet->cur_pos;
|
auto& pdata = packet->cur_pos;
|
||||||
auto end_of_data = packet->GetEndOfData();
|
auto end_of_data = packet->GetEndOfData();
|
||||||
|
|
@ -31,5 +31,5 @@ std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identif
|
||||||
val_mgr->Count(ssap),
|
val_mgr->Count(ssap),
|
||||||
val_mgr->Count(control));
|
val_mgr->Count(control));
|
||||||
|
|
||||||
return std::make_tuple(AnalyzerResult::Terminate, 0);
|
return { AnalyzerResult::Terminate, 0 };
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ public:
|
||||||
Bar();
|
Bar();
|
||||||
~Bar() override = default;
|
~Bar() override = default;
|
||||||
|
|
||||||
std::tuple<AnalyzerResult, identifier_t> Analyze(Packet* packet) override;
|
AnalysisResultTuple Analyze(Packet* packet) override;
|
||||||
|
|
||||||
static AnalyzerPtr Instantiate()
|
static AnalyzerPtr Instantiate()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue