Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 07:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Remove non-standard way of forwarding out of the Ethernet analyzer

Browse source
This commit is contained in:
Tim Wojtulewicz 2023-04-19 10:25:39 -07:00 committed by Tim Wojtulewicz
parent 7e88a2b3fb
commit c5b8603218
14 changed files with 48 additions and 102 deletions
Download patch file Download diff file Expand all files Collapse all files

37
src/packet_analysis/protocol/ethernet/Ethernet.cc
View file

@ -6,15 +6,12 @@
using namespace zeek::packet_analysis::Ethernet;
EthernetAnalyzer::EthernetAnalyzer() : zeek::packet_analysis::Analyzer("Ethernet") { }
void EthernetAnalyzer::Initialize()
EthernetAnalyzer::EthernetAnalyzer() : zeek::packet_analysis::Analyzer("Ethernet")
{
Analyzer::Initialize();
SNAPAnalyzer = LoadAnalyzer("snap_analyzer");
NovellRawAnalyzer = LoadAnalyzer("novell_raw_analyzer");
LLCAnalyzer = LoadAnalyzer("llc_analyzer");
snap_forwarding_key = id::find_val("PacketAnalyzer::ETHERNET::SNAP_FORWARDING_KEY")->AsCount();
novell_forwarding_key =
id::find_val("PacketAnalyzer::ETHERNET::NOVELL_FORWARDING_KEY")->AsCount();
llc_forwarding_key = id::find_val("PacketAnalyzer::ETHERNET::LLC_FORWARDING_KEY")->AsCount();
}
bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
@ -62,25 +59,21 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
return false;
}
// Let specialized analyzers take over for non Ethernet II frames.
// Note that pdata remains at the start of the ethernet frame.
len -= 14;
data += 14;
AnalyzerPtr eth_analyzer = nullptr;
if ( data[14] == 0xAA && data[15] == 0xAA )
// Let specialized analyzers take over for non Ethernet II frames. We use magic numbers here
// to denote the protocols for the forwarding. We know these numbers should be valid because
// any others used should be >= 1536, as above.
if ( data[0] == 0xAA && data[1] == 0xAA )
// IEEE 802.2 SNAP
eth_analyzer = SNAPAnalyzer;
else if ( data[14] == 0xFF && data[15] == 0xFF )
return ForwardPacket(len, data, packet, snap_forwarding_key);
else if ( data[0] == 0xFF && data[1] == 0xFF )
// Novell raw IEEE 802.3
eth_analyzer = NovellRawAnalyzer;
return ForwardPacket(len, data, packet, novell_forwarding_key);
else
// IEEE 802.2 LLC
eth_analyzer = LLCAnalyzer;
if ( eth_analyzer )
return eth_analyzer->AnalyzePacket(len, data, packet);
return true;
return ForwardPacket(len, data, packet, llc_forwarding_key);
}
// Undefined (1500 < EtherType < 1536)

7
src/packet_analysis/protocol/ethernet/Ethernet.h
View file

@ -14,7 +14,6 @@ public:
EthernetAnalyzer();
~EthernetAnalyzer() override = default;
void Initialize() override;
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
@ -23,9 +22,9 @@ public:
}
private:
AnalyzerPtr SNAPAnalyzer = nullptr;
AnalyzerPtr NovellRawAnalyzer = nullptr;
AnalyzerPtr LLCAnalyzer = nullptr;
zeek_uint_t snap_forwarding_key = 0;
zeek_uint_t novell_forwarding_key = 0;
zeek_uint_t llc_forwarding_key = 0;
};
}