mirror of
https://github.com/zeek/zeek.git
synced 2025-10-08 09:38:19 +00:00
Remove magic identifiers from Ethernet analyzer.
This commit is contained in:
Jan Grashoefer
Tim Wojtulewicz
parent
462b1fe3a2
commit
cbdaa53f85
5 changed files with 119 additions and 49 deletions
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
#include "Ethernet.h"
|
||||
#include "NetVar.h"
|
||||
#include "Manager.h"
|
||||
|
||||
using namespace zeek::packet_analysis::Ethernet;
|
||||
|
||||
|
|
@ -10,6 +11,26 @@ EthernetAnalyzer::EthernetAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
void EthernetAnalyzer::Initialize()
|
||||
{
|
||||
SNAPAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::snap_analyzer");
|
||||
NovellRawAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::novell_raw_analyzer");
|
||||
LLCAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::llc_analyzer");
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerPtr EthernetAnalyzer::LoadAnalyzer(const std::string &name)
|
||||
{
|
||||
auto& analyzer = zeek::id::find(name);
|
||||
if ( ! analyzer )
|
||||
return nullptr;
|
||||
|
||||
auto& analyzer_val = analyzer->GetVal();
|
||||
if ( ! analyzer_val )
|
||||
return nullptr;
|
||||
|
||||
return packet_mgr->GetAnalyzer(analyzer_val->AsEnumVal());
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
auto end_of_data = packet->GetEndOfData();
|
||||
|
|
@ -59,22 +80,25 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::Analyze(Packet* packet,
|
|||
return AnalyzerResult::Failed;
|
||||
}
|
||||
|
||||
// In the following we use undefined EtherTypes to signal uncommon
|
||||
// frame types. This allows specialized analyzers to take over.
|
||||
// Let specialized analyzers take over for non Ethernet II frames.
|
||||
// Note that pdata remains at the start of the ethernet frame.
|
||||
//TODO: Lookup the analyzers on startup
|
||||
|
||||
// IEEE 802.2 SNAP
|
||||
AnalyzerPtr eth_analyzer = nullptr;
|
||||
|
||||
if ( data[14] == 0xAA && data[15] == 0xAA)
|
||||
return AnalyzeInnerPacket(packet, data, 1502);
|
||||
// IEEE 802.2 SNAP
|
||||
eth_analyzer = SNAPAnalyzer;
|
||||
else if ( data[14] == 0xFF && data[15] == 0xFF)
|
||||
// Novell raw IEEE 802.3
|
||||
eth_analyzer = NovellRawAnalyzer;
|
||||
else
|
||||
// IEEE 802.2 LLC
|
||||
eth_analyzer = LLCAnalyzer;
|
||||
|
||||
// Novell raw IEEE 802.3
|
||||
if ( data[14] == 0xFF && data[15] == 0xFF)
|
||||
return AnalyzeInnerPacket(packet, data, 1503);
|
||||
if ( eth_analyzer )
|
||||
return eth_analyzer->Analyze(packet, data);
|
||||
|
||||
|
||||
// IEEE 802.2 LLC
|
||||
return AnalyzeInnerPacket(packet, data, 1501);
|
||||
return AnalyzerResult::Terminate;
|
||||
}
|
||||
|
||||
// Undefined (1500 < EtherType < 1536)
|
||||
|
|
|
|||
|
|
@ -12,12 +12,20 @@ public:
|
|||
EthernetAnalyzer();
|
||||
~EthernetAnalyzer() override = default;
|
||||
|
||||
void Initialize() override;
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
return std::make_shared<EthernetAnalyzer>();
|
||||
}
|
||||
|
||||
private:
|
||||
AnalyzerPtr SNAPAnalyzer = nullptr;
|
||||
AnalyzerPtr NovellRawAnalyzer = nullptr;
|
||||
AnalyzerPtr LLCAnalyzer = nullptr;
|
||||
|
||||
AnalyzerPtr LoadAnalyzer(const std::string& name);
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue