mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Remove non-standard way of forwarding out of the Ethernet analyzer
This commit is contained in:
Tim Wojtulewicz
Tim Wojtulewicz
parent
7e88a2b3fb
commit
c5b8603218
14 changed files with 48 additions and 102 deletions
|
|
@ -1,13 +1,13 @@
|
|||
module PacketAnalyzer::ETHERNET;
|
||||
|
||||
export {
|
||||
## IEEE 802.2 SNAP analyzer
|
||||
global snap_analyzer: PacketAnalyzer::Tag &redef;
|
||||
## Novell raw IEEE 802.3 analyzer
|
||||
global novell_raw_analyzer: PacketAnalyzer::Tag &redef;
|
||||
## IEEE 802.2 LLC analyzer
|
||||
global llc_analyzer: PacketAnalyzer::Tag &redef;
|
||||
}
|
||||
export
|
||||
{
|
||||
# We use some magic numbers here to denote these. The values here are outside the range of the
|
||||
# standard ethertypes, which should always be above 1536.
|
||||
const SNAP_FORWARDING_KEY : count = 0x0001;
|
||||
const NOVELL_FORWARDING_KEY : count = 0x0002;
|
||||
const LLC_FORWARDING_KEY : count = 0x0003;
|
||||
}
|
||||
|
||||
event zeek_init() &priority=20
|
||||
{
|
||||
|
|
@ -22,4 +22,11 @@ event zeek_init() &priority=20
|
|||
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x9100, PacketAnalyzer::ANALYZER_VLAN);
|
||||
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
|
||||
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8926, PacketAnalyzer::ANALYZER_VNTAG);
|
||||
|
||||
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, SNAP_FORWARDING_KEY,
|
||||
PacketAnalyzer::ANALYZER_SNAP);
|
||||
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, NOVELL_FORWARDING_KEY,
|
||||
PacketAnalyzer::ANALYZER_NOVELL_802_3);
|
||||
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, LLC_FORWARDING_KEY,
|
||||
PacketAnalyzer::ANALYZER_LLC);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,15 +6,12 @@
|
|||
|
||||
using namespace zeek::packet_analysis::Ethernet;
|
||||
|
||||
EthernetAnalyzer::EthernetAnalyzer() : zeek::packet_analysis::Analyzer("Ethernet") { }
|
||||
|
||||
void EthernetAnalyzer::Initialize()
|
||||
EthernetAnalyzer::EthernetAnalyzer() : zeek::packet_analysis::Analyzer("Ethernet")
|
||||
{
|
||||
Analyzer::Initialize();
|
||||
|
||||
SNAPAnalyzer = LoadAnalyzer("snap_analyzer");
|
||||
NovellRawAnalyzer = LoadAnalyzer("novell_raw_analyzer");
|
||||
LLCAnalyzer = LoadAnalyzer("llc_analyzer");
|
||||
snap_forwarding_key = id::find_val("PacketAnalyzer::ETHERNET::SNAP_FORWARDING_KEY")->AsCount();
|
||||
novell_forwarding_key =
|
||||
id::find_val("PacketAnalyzer::ETHERNET::NOVELL_FORWARDING_KEY")->AsCount();
|
||||
llc_forwarding_key = id::find_val("PacketAnalyzer::ETHERNET::LLC_FORWARDING_KEY")->AsCount();
|
||||
}
|
||||
|
||||
bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
|
|
@ -62,25 +59,21 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
|
|||
return false;
|
||||
}
|
||||
|
||||
// Let specialized analyzers take over for non Ethernet II frames.
|
||||
// Note that pdata remains at the start of the ethernet frame.
|
||||
len -= 14;
|
||||
data += 14;
|
||||
|
||||
AnalyzerPtr eth_analyzer = nullptr;
|
||||
|
||||
if ( data[14] == 0xAA && data[15] == 0xAA )
|
||||
// Let specialized analyzers take over for non Ethernet II frames. We use magic numbers here
|
||||
// to denote the protocols for the forwarding. We know these numbers should be valid because
|
||||
// any others used should be >= 1536, as above.
|
||||
if ( data[0] == 0xAA && data[1] == 0xAA )
|
||||
// IEEE 802.2 SNAP
|
||||
eth_analyzer = SNAPAnalyzer;
|
||||
else if ( data[14] == 0xFF && data[15] == 0xFF )
|
||||
return ForwardPacket(len, data, packet, snap_forwarding_key);
|
||||
else if ( data[0] == 0xFF && data[1] == 0xFF )
|
||||
// Novell raw IEEE 802.3
|
||||
eth_analyzer = NovellRawAnalyzer;
|
||||
return ForwardPacket(len, data, packet, novell_forwarding_key);
|
||||
else
|
||||
// IEEE 802.2 LLC
|
||||
eth_analyzer = LLCAnalyzer;
|
||||
|
||||
if ( eth_analyzer )
|
||||
return eth_analyzer->AnalyzePacket(len, data, packet);
|
||||
|
||||
return true;
|
||||
return ForwardPacket(len, data, packet, llc_forwarding_key);
|
||||
}
|
||||
|
||||
// Undefined (1500 < EtherType < 1536)
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ public:
|
|||
EthernetAnalyzer();
|
||||
~EthernetAnalyzer() override = default;
|
||||
|
||||
void Initialize() override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
|
|
@ -23,9 +22,9 @@ public:
|
|||
}
|
||||
|
||||
private:
|
||||
AnalyzerPtr SNAPAnalyzer = nullptr;
|
||||
AnalyzerPtr NovellRawAnalyzer = nullptr;
|
||||
AnalyzerPtr LLCAnalyzer = nullptr;
|
||||
zeek_uint_t snap_forwarding_key = 0;
|
||||
zeek_uint_t novell_forwarding_key = 0;
|
||||
zeek_uint_t llc_forwarding_key = 0;
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -635,8 +635,11 @@
|
|||
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 1, PacketAnalyzer::ANALYZER_SNAP)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 3, PacketAnalyzer::ANALYZER_LLC)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
|
||||
|
|
@ -2247,8 +2250,11 @@
|
|||
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}))
|
||||
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
|
||||
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP))
|
||||
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 1, PacketAnalyzer::ANALYZER_SNAP))
|
||||
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3))
|
||||
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP))
|
||||
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP))
|
||||
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 3, PacketAnalyzer::ANALYZER_LLC))
|
||||
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP))
|
||||
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN))
|
||||
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP))
|
||||
|
|
@ -3858,8 +3864,11 @@
|
|||
0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})
|
||||
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
|
||||
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)
|
||||
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 1, PacketAnalyzer::ANALYZER_SNAP)
|
||||
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)
|
||||
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)
|
||||
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)
|
||||
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 3, PacketAnalyzer::ANALYZER_LLC)
|
||||
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)
|
||||
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN)
|
||||
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP)
|
||||
|
|
|
|||
|
|
@ -1,7 +1,5 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
PacketDemo::Bar - Demo packet analyzers (RawLayer, LLC). (dynamic, version 1.0.0)
|
||||
[Packet Analyzer] LLC_Demo (ANALYZER_LLC_DEMO, enabled)
|
||||
PacketDemo::Bar - Demo packet analyzers (RawLayer). (dynamic, version 1.0.0)
|
||||
[Packet Analyzer] Raw_Layer (ANALYZER_RAW_LAYER, enabled)
|
||||
[Event] raw_layer_message
|
||||
[Event] llc_demo_message
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +0,0 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
|
||||
llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
|
||||
llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
|
||||
llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
|
||||
|
|
@ -1 +1,5 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
c2:3d:19:6c:00:01, ff:ff:ff:ff:ff:ff, 10.0.0.1, c2:3d:19:6c:00:01, 10.0.0.2, 00:00:00:00:00:00
|
||||
c2:3d:19:6c:00:01, ff:ff:ff:ff:ff:ff, 10.0.0.1, c2:3d:19:6c:00:01, 10.0.0.2, 00:00:00:00:00:00
|
||||
c2:3c:19:6c:00:01, c2:3d:19:6c:00:01, 10.0.0.2, c2:3c:19:6c:00:01, 10.0.0.1, c2:3d:19:6c:00:01
|
||||
c2:3c:19:6c:00:01, c2:3d:19:6c:00:01, 10.0.0.2, c2:3c:19:6c:00:01, 10.0.0.1, c2:3d:19:6c:00:01
|
||||
|
|
|
|||
|
|
@ -14,6 +14,5 @@ include(ZeekPlugin)
|
|||
zeek_plugin_begin(PacketDemo Bar)
|
||||
zeek_plugin_cc(src/Plugin.cc)
|
||||
zeek_plugin_cc(src/RawLayer.cc)
|
||||
zeek_plugin_cc(src/LLCDemo.cc)
|
||||
zeek_plugin_bif(src/events.bif)
|
||||
zeek_plugin_end()
|
||||
|
|
|
|||
|
|
@ -1,2 +1 @@
|
|||
@load PacketDemo/RawLayer/base/main
|
||||
@load PacketDemo/LLCDemo/base/main
|
||||
|
|
|
|||
|
|
@ -1,30 +0,0 @@
|
|||
#include "LLCDemo.h"
|
||||
|
||||
#include "zeek/Event.h"
|
||||
#include "zeek/Val.h"
|
||||
#include "zeek/session/Manager.h"
|
||||
|
||||
#include "events.bif.h"
|
||||
|
||||
using namespace zeek::packet_analysis::PacketDemo;
|
||||
|
||||
LLCDemo::LLCDemo() : zeek::packet_analysis::Analyzer("LLC_Demo") { }
|
||||
|
||||
bool LLCDemo::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
// Rudimentary parsing of 802.2 LLC
|
||||
if ( 17 >= len )
|
||||
{
|
||||
session_mgr->Weird("truncated_llc_header", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
auto dsap = data[14];
|
||||
auto ssap = data[15];
|
||||
auto control = data[16];
|
||||
|
||||
event_mgr.Enqueue(llc_demo_message, val_mgr->Count(dsap), val_mgr->Count(ssap),
|
||||
val_mgr->Count(control));
|
||||
|
||||
return true;
|
||||
}
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
#pragma once
|
||||
|
||||
#include "zeek/packet_analysis/Analyzer.h"
|
||||
#include "zeek/packet_analysis/Component.h"
|
||||
|
||||
namespace zeek::packet_analysis::PacketDemo
|
||||
{
|
||||
|
||||
class LLCDemo : public Analyzer
|
||||
{
|
||||
public:
|
||||
LLCDemo();
|
||||
~LLCDemo() override = default;
|
||||
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static AnalyzerPtr Instantiate() { return std::make_shared<LLCDemo>(); }
|
||||
};
|
||||
|
||||
}
|
||||
|
|
@ -1,6 +1,5 @@
|
|||
#include "Plugin.h"
|
||||
|
||||
#include "LLCDemo.h"
|
||||
#include "RawLayer.h"
|
||||
#include "packet_analysis/Component.h"
|
||||
|
||||
|
|
@ -14,12 +13,10 @@ public:
|
|||
{
|
||||
AddComponent(new zeek::packet_analysis::Component(
|
||||
"Raw_Layer", zeek::packet_analysis::PacketDemo::RawLayer::Instantiate));
|
||||
AddComponent(new zeek::packet_analysis::Component(
|
||||
"LLC_Demo", zeek::packet_analysis::PacketDemo::LLCDemo::Instantiate));
|
||||
|
||||
zeek::plugin::Configuration config;
|
||||
config.name = "PacketDemo::Bar";
|
||||
config.description = "Demo packet analyzers (RawLayer, LLC).";
|
||||
config.description = "Demo packet analyzers (RawLayer).";
|
||||
config.version.major = 1;
|
||||
config.version.minor = 0;
|
||||
config.version.patch = 0;
|
||||
|
|
|
|||
|
|
@ -1,3 +1,2 @@
|
|||
|
||||
event raw_layer_message%(message: string, protocol: count%);
|
||||
event llc_demo_message%(dsap: count, ssap: count, control: count%);
|
||||
|
|
|
|||
|
|
@ -16,9 +16,6 @@
|
|||
# @TEST-EXEC: test ! -e unknown_protocols.log
|
||||
# @TEST-EXEC: btest-diff output_raw
|
||||
# @TEST-EXEC: rm -f *.log
|
||||
#
|
||||
# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/raw_packets.trace %INPUT > output_llc
|
||||
# @TEST-EXEC: btest-diff output_llc
|
||||
|
||||
@load policy/misc/unknown-protocols
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue