From c5b86032180dcb891232990417ca230b2912b792 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 19 Apr 2023 10:25:39 -0700
Subject: [PATCH] Remove non-standard way of forwarding out of the Ethernet
 analyzer

---
 .../base/packet-protocols/ethernet/main.zeek  | 23 ++++++++----
 .../protocol/ethernet/Ethernet.cc             | 37 ++++++++-----------
 .../protocol/ethernet/Ethernet.h              |  7 ++--
 testing/btest/Baseline/plugins.hooks/output   |  9 +++++
 .../plugins.packet-protocol/output_build      |  4 +-
 .../plugins.packet-protocol/output_llc        |  5 ---
 .../.stdout                                   |  4 ++
 .../packet-protocol-plugin/CMakeLists.txt     |  1 -
 .../scripts/__load__.zeek                     |  1 -
 .../packet-protocol-plugin/src/LLCDemo.cc     | 30 ---------------
 .../packet-protocol-plugin/src/LLCDemo.h      | 20 ----------
 .../packet-protocol-plugin/src/Plugin.cc      |  5 +--
 .../packet-protocol-plugin/src/events.bif     |  1 -
 testing/btest/plugins/packet-protocol.zeek    |  3 --
 14 files changed, 48 insertions(+), 102 deletions(-)
 delete mode 100644 testing/btest/Baseline/plugins.packet-protocol/output_llc
 delete mode 100644 testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc
 delete mode 100644 testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h

diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek
index 7c19b7bfa7..1df6b9a6dc 100644
--- a/scripts/base/packet-protocols/ethernet/main.zeek
+++ b/scripts/base/packet-protocols/ethernet/main.zeek
@@ -1,13 +1,13 @@
 module PacketAnalyzer::ETHERNET;
 
-export {
-	## IEEE 802.2 SNAP analyzer
-	global snap_analyzer: PacketAnalyzer::Tag &redef;
-	## Novell raw IEEE 802.3 analyzer
-	global novell_raw_analyzer: PacketAnalyzer::Tag &redef;
-	## IEEE 802.2 LLC analyzer
-	global llc_analyzer: PacketAnalyzer::Tag &redef;
-}
+export
+	{
+	# We use some magic numbers here to denote these. The values here are outside the range of the
+	# standard ethertypes, which should always be above 1536.
+	const SNAP_FORWARDING_KEY : count = 0x0001;
+	const NOVELL_FORWARDING_KEY : count = 0x0002;
+	const LLC_FORWARDING_KEY : count = 0x0003;
+	}
 
 event zeek_init() &priority=20
 	{
@@ -22,4 +22,11 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x9100, PacketAnalyzer::ANALYZER_VLAN);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8926, PacketAnalyzer::ANALYZER_VNTAG);
+
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, SNAP_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_SNAP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, NOVELL_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_NOVELL_802_3);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, LLC_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_LLC);
 	}
diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc
index 5ec767e0ce..5d8face928 100644
--- a/src/packet_analysis/protocol/ethernet/Ethernet.cc
+++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc
@@ -6,15 +6,12 @@
 
 using namespace zeek::packet_analysis::Ethernet;
 
-EthernetAnalyzer::EthernetAnalyzer() : zeek::packet_analysis::Analyzer("Ethernet") { }
-
-void EthernetAnalyzer::Initialize()
+EthernetAnalyzer::EthernetAnalyzer() : zeek::packet_analysis::Analyzer("Ethernet")
 	{
-	Analyzer::Initialize();
-
-	SNAPAnalyzer = LoadAnalyzer("snap_analyzer");
-	NovellRawAnalyzer = LoadAnalyzer("novell_raw_analyzer");
-	LLCAnalyzer = LoadAnalyzer("llc_analyzer");
+	snap_forwarding_key = id::find_val("PacketAnalyzer::ETHERNET::SNAP_FORWARDING_KEY")->AsCount();
+	novell_forwarding_key =
+		id::find_val("PacketAnalyzer::ETHERNET::NOVELL_FORWARDING_KEY")->AsCount();
+	llc_forwarding_key = id::find_val("PacketAnalyzer::ETHERNET::LLC_FORWARDING_KEY")->AsCount();
 	}
 
 bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
@@ -62,25 +59,21 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 			return false;
 			}
 
-		// Let specialized analyzers take over for non Ethernet II frames.
-		// Note that pdata remains at the start of the ethernet frame.
+		len -= 14;
+		data += 14;
 
-		AnalyzerPtr eth_analyzer = nullptr;
-
-		if ( data[14] == 0xAA && data[15] == 0xAA )
+		// Let specialized analyzers take over for non Ethernet II frames. We use magic numbers here
+		// to denote the protocols for the forwarding. We know these numbers should be valid because
+		// any others used should be >= 1536, as above.
+		if ( data[0] == 0xAA && data[1] == 0xAA )
 			// IEEE 802.2 SNAP
-			eth_analyzer = SNAPAnalyzer;
-		else if ( data[14] == 0xFF && data[15] == 0xFF )
+			return ForwardPacket(len, data, packet, snap_forwarding_key);
+		else if ( data[0] == 0xFF && data[1] == 0xFF )
 			// Novell raw IEEE 802.3
-			eth_analyzer = NovellRawAnalyzer;
+			return ForwardPacket(len, data, packet, novell_forwarding_key);
 		else
 			// IEEE 802.2 LLC
-			eth_analyzer = LLCAnalyzer;
-
-		if ( eth_analyzer )
-			return eth_analyzer->AnalyzePacket(len, data, packet);
-
-		return true;
+			return ForwardPacket(len, data, packet, llc_forwarding_key);
 		}
 
 	// Undefined (1500 < EtherType < 1536)
diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.h b/src/packet_analysis/protocol/ethernet/Ethernet.h
index 998b8a687e..777db32146 100644
--- a/src/packet_analysis/protocol/ethernet/Ethernet.h
+++ b/src/packet_analysis/protocol/ethernet/Ethernet.h
@@ -14,7 +14,6 @@ public:
 	EthernetAnalyzer();
 	~EthernetAnalyzer() override = default;
 
-	void Initialize() override;
 	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
@@ -23,9 +22,9 @@ public:
 		}
 
 private:
-	AnalyzerPtr SNAPAnalyzer = nullptr;
-	AnalyzerPtr NovellRawAnalyzer = nullptr;
-	AnalyzerPtr LLCAnalyzer = nullptr;
+	zeek_uint_t snap_forwarding_key = 0;
+	zeek_uint_t novell_forwarding_key = 0;
+	zeek_uint_t llc_forwarding_key = 0;
 	};
 
 	}
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 5684a85b5d..ae2960b3f3 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -635,8 +635,11 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 1, PacketAnalyzer::ANALYZER_SNAP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 3, PacketAnalyzer::ANALYZER_LLC)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -2247,8 +2250,11 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 1, PacketAnalyzer::ANALYZER_SNAP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 3, PacketAnalyzer::ANALYZER_LLC))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP))
@@ -3858,8 +3864,11 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 1, PacketAnalyzer::ANALYZER_SNAP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 3, PacketAnalyzer::ANALYZER_LLC)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP)
diff --git a/testing/btest/Baseline/plugins.packet-protocol/output_build b/testing/btest/Baseline/plugins.packet-protocol/output_build
index 4097618014..69477c96b6 100644
--- a/testing/btest/Baseline/plugins.packet-protocol/output_build
+++ b/testing/btest/Baseline/plugins.packet-protocol/output_build
@@ -1,7 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-PacketDemo::Bar - Demo packet analyzers (RawLayer, LLC). (dynamic, version 1.0.0)
-    [Packet Analyzer] LLC_Demo (ANALYZER_LLC_DEMO, enabled)
+PacketDemo::Bar - Demo packet analyzers (RawLayer). (dynamic, version 1.0.0)
     [Packet Analyzer] Raw_Layer (ANALYZER_RAW_LAYER, enabled)
     [Event] raw_layer_message
-    [Event] llc_demo_message
 
diff --git a/testing/btest/Baseline/plugins.packet-protocol/output_llc b/testing/btest/Baseline/plugins.packet-protocol/output_llc
deleted file mode 100644
index 90afbf2ca1..0000000000
--- a/testing/btest/Baseline/plugins.packet-protocol/output_llc
+++ /dev/null
@@ -1,5 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
-llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
-llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
-llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
diff --git a/testing/btest/Baseline/scripts.base.protocols.snap.snap-arp/.stdout b/testing/btest/Baseline/scripts.base.protocols.snap.snap-arp/.stdout
index 49d861c74c..172032872f 100644
--- a/testing/btest/Baseline/scripts.base.protocols.snap.snap-arp/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.snap.snap-arp/.stdout
@@ -1 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+c2:3d:19:6c:00:01, ff:ff:ff:ff:ff:ff, 10.0.0.1, c2:3d:19:6c:00:01, 10.0.0.2, 00:00:00:00:00:00
+c2:3d:19:6c:00:01, ff:ff:ff:ff:ff:ff, 10.0.0.1, c2:3d:19:6c:00:01, 10.0.0.2, 00:00:00:00:00:00
+c2:3c:19:6c:00:01, c2:3d:19:6c:00:01, 10.0.0.2, c2:3c:19:6c:00:01, 10.0.0.1, c2:3d:19:6c:00:01
+c2:3c:19:6c:00:01, c2:3d:19:6c:00:01, 10.0.0.2, c2:3c:19:6c:00:01, 10.0.0.1, c2:3d:19:6c:00:01
diff --git a/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt b/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt
index dcac95fbb6..99604aeb2b 100644
--- a/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt
@@ -14,6 +14,5 @@ include(ZeekPlugin)
 zeek_plugin_begin(PacketDemo Bar)
 zeek_plugin_cc(src/Plugin.cc)
 zeek_plugin_cc(src/RawLayer.cc)
-zeek_plugin_cc(src/LLCDemo.cc)
 zeek_plugin_bif(src/events.bif)
 zeek_plugin_end()
diff --git a/testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek b/testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek
index 80083daff0..5e8715bbe2 100644
--- a/testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek
+++ b/testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek
@@ -1,2 +1 @@
 @load PacketDemo/RawLayer/base/main
-@load PacketDemo/LLCDemo/base/main
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc
deleted file mode 100644
index 05b969607a..0000000000
--- a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc
+++ /dev/null
@@ -1,30 +0,0 @@
-#include "LLCDemo.h"
-
-#include "zeek/Event.h"
-#include "zeek/Val.h"
-#include "zeek/session/Manager.h"
-
-#include "events.bif.h"
-
-using namespace zeek::packet_analysis::PacketDemo;
-
-LLCDemo::LLCDemo() : zeek::packet_analysis::Analyzer("LLC_Demo") { }
-
-bool LLCDemo::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
-	{
-	// Rudimentary parsing of 802.2 LLC
-	if ( 17 >= len )
-		{
-		session_mgr->Weird("truncated_llc_header", packet);
-		return false;
-		}
-
-	auto dsap = data[14];
-	auto ssap = data[15];
-	auto control = data[16];
-
-	event_mgr.Enqueue(llc_demo_message, val_mgr->Count(dsap), val_mgr->Count(ssap),
-	                  val_mgr->Count(control));
-
-	return true;
-	}
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h
deleted file mode 100644
index 626357644c..0000000000
--- a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h
+++ /dev/null
@@ -1,20 +0,0 @@
-#pragma once
-
-#include "zeek/packet_analysis/Analyzer.h"
-#include "zeek/packet_analysis/Component.h"
-
-namespace zeek::packet_analysis::PacketDemo
-	{
-
-class LLCDemo : public Analyzer
-	{
-public:
-	LLCDemo();
-	~LLCDemo() override = default;
-
-	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
-
-	static AnalyzerPtr Instantiate() { return std::make_shared<LLCDemo>(); }
-	};
-
-	}
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc
index a046c6d361..dbcf221eff 100644
--- a/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc
@@ -1,6 +1,5 @@
 #include "Plugin.h"
 
-#include "LLCDemo.h"
 #include "RawLayer.h"
 #include "packet_analysis/Component.h"
 
@@ -14,12 +13,10 @@ public:
 		{
 		AddComponent(new zeek::packet_analysis::Component(
 			"Raw_Layer", zeek::packet_analysis::PacketDemo::RawLayer::Instantiate));
-		AddComponent(new zeek::packet_analysis::Component(
-			"LLC_Demo", zeek::packet_analysis::PacketDemo::LLCDemo::Instantiate));
 
 		zeek::plugin::Configuration config;
 		config.name = "PacketDemo::Bar";
-		config.description = "Demo packet analyzers (RawLayer, LLC).";
+		config.description = "Demo packet analyzers (RawLayer).";
 		config.version.major = 1;
 		config.version.minor = 0;
 		config.version.patch = 0;
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/events.bif b/testing/btest/plugins/packet-protocol-plugin/src/events.bif
index d70f3e1ea1..4f1f4fec9b 100644
--- a/testing/btest/plugins/packet-protocol-plugin/src/events.bif
+++ b/testing/btest/plugins/packet-protocol-plugin/src/events.bif
@@ -1,3 +1,2 @@
 
 event raw_layer_message%(message: string, protocol: count%);
-event llc_demo_message%(dsap: count, ssap: count, control: count%);
diff --git a/testing/btest/plugins/packet-protocol.zeek b/testing/btest/plugins/packet-protocol.zeek
index edf371b85c..96129e879a 100644
--- a/testing/btest/plugins/packet-protocol.zeek
+++ b/testing/btest/plugins/packet-protocol.zeek
@@ -16,9 +16,6 @@
 # @TEST-EXEC: test ! -e unknown_protocols.log
 # @TEST-EXEC: btest-diff output_raw
 # @TEST-EXEC: rm -f *.log
-#
-# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/raw_packets.trace %INPUT > output_llc
-# @TEST-EXEC: btest-diff output_llc
 
 @load policy/misc/unknown-protocols