Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add Geneve packet analyzer, disable old analyzer

Browse source
This commit is contained in:
Tim Wojtulewicz 2021-08-26 12:15:00 -07:00
parent 7e40094f2c
commit cbb0bcd49c
19 changed files with 218 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/packet-protocols/__load__.zeek
View file

@ -22,3 +22,4 @@
@load base/packet-protocols/gre
@load base/packet-protocols/iptunnel
@load base/packet-protocols/ayiya
@load base/packet-protocols/geneve

1
scripts/base/packet-protocols/geneve/__load__.zeek Normal file
View file

@ -0,0 +1 @@
@load ./main

22
scripts/base/packet-protocols/geneve/main.zeek Normal file
View file

@ -0,0 +1,22 @@
module PacketAnalyzer::Geneve;
export {
## The set of UDP ports used for Geneve traffic. Traffic using this
## UDP destination port will attempt to be decapsulated. Note that if
## if you customize this, you may still want to manually ensure that
## :zeek:see:`likely_server_ports` also gets populated accordingly.
const geneve_ports: set[port] = { 6081/udp } &redef;
}
redef likely_server_ports += { geneve_ports };
event zeek_init() &priority=20
{
PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, geneve_ports);
# This is defined by IANA as being "Trans Ether Bridging" but the Geneve RFC
# says to use it for Ethernet. See
# https://datatracker.ietf.org/doc/html/draft-gross-geneve-00#section-3.4
# for details.
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x6558, PacketAnalyzer::ANALYZER_ETHERNET);
}