GH-1215: Remove dispatch_map from packet analysis, replace with BIF methods for registering dispatches

scripts/base/init-bare.zeek

@@ -996,8 +996,8 @@ const UDP_ACTIVE = 1;	##< Endpoint has sent something.
 const ignore_checksums = F &redef;
 
 ## Checksums are ignored for all packets with a src address within this set of
-## networks. Useful for cases where a host might be seeing packets collected 
+## networks. Useful for cases where a host might be seeing packets collected
-## from local hosts before checksums were applied by hardware. This frequently 
+## from local hosts before checksums were applied by hardware. This frequently
 ## manifests when sniffing a local management interface on a host and Zeek sees
 ## packets before the hardware has had a chance to apply the checksums.
 option ignore_checksums_nets: set[subnet] = set();
@@ -1914,6 +1914,7 @@ type gtp_delete_pdp_ctx_response_elements: record {
 @load base/bif/option.bif
 @load base/frameworks/supervisor/api
 @load base/bif/supervisor.bif
+@load base/bif/packet_analysis.bif
 
 ## Internal function.
 function add_interface(iold: string, inew: string): string
@@ -5377,18 +5378,4 @@ event net_done(t: time)
 @if ( __init_primary_bifs() )
 @endif
 
-module PacketAnalyzer;
-
-export {
-	type DispatchEntry : record {
-		## The analyzer to dispatch.
-		analyzer : PacketAnalyzer::Tag;
-	};
-
-	## A packet analyzer may extract a numeric identifier, which can be found in the
-	## packet data and denotes the encapsulated protocol. A DispatchMap allows to map
-	## the identifier to a child analyzer, which is defined using a DispatchEntry.
-	type DispatchMap : table[count] of DispatchEntry;
-}
-
 @load base/packet-protocols

scripts/base/packet-protocols/ethernet/main.zeek

@@ -5,24 +5,22 @@ export {
 	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
 
 	## IEEE 802.2 SNAP analyzer
-	const snap_analyzer: PacketAnalyzer::Tag &redef;
+	global snap_analyzer: PacketAnalyzer::Tag &redef;
 	## Novell raw IEEE 802.3 analyzer
-	const novell_raw_analyzer: PacketAnalyzer::Tag &redef;
+	global novell_raw_analyzer: PacketAnalyzer::Tag &redef;
 	## IEEE 802.2 LLC analyzer
-	const llc_analyzer: PacketAnalyzer::Tag &redef;
+	global llc_analyzer: PacketAnalyzer::Tag &redef;
-
-	## Identifier mappings based on EtherType
-	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
 }
 
-redef dispatch_map += {
+event zeek_init() &priority=20
-	[0x8847] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_MPLS),
+	{
-	[0x0800] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8847, PacketAnalyzer::ANALYZER_MPLS);
-	[0x86DD] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x0800, PacketAnalyzer::ANALYZER_IP);
-	[0x0806] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x86DD, PacketAnalyzer::ANALYZER_IP);
-	[0x8035] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x0806, PacketAnalyzer::ANALYZER_ARP);
-	[0x8100] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_VLAN),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8035, PacketAnalyzer::ANALYZER_ARP);
-	[0x88A8] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_VLAN),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8100, PacketAnalyzer::ANALYZER_VLAN);
-	[0x9100] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_VLAN),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x88A8, PacketAnalyzer::ANALYZER_VLAN);
-	[0x8864] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_PPPOE)
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x9100, PacketAnalyzer::ANALYZER_VLAN);
-};
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
+	}

scripts/base/packet-protocols/ieee802_11/main.zeek

@@ -1,13 +1,9 @@
 module PacketAnalyzer::IEEE802_11;
 
-export {
+event zeek_init() &priority=20
-	## Identifier mappings based on EtherType
+	{
-	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x0800, PacketAnalyzer::ANALYZER_IP);
-}
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x86DD, PacketAnalyzer::ANALYZER_IP);
-
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x0806, PacketAnalyzer::ANALYZER_ARP);
-redef dispatch_map += {
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x8035, PacketAnalyzer::ANALYZER_ARP);
-	[0x0800] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
+	}
-	[0x86DD] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
-	[0x0806] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP),
-	[0x8035] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP)
-};

scripts/base/packet-protocols/ieee802_11_radio/main.zeek

@@ -1,12 +1,8 @@
 module PacketAnalyzer::IEEE802_11_RADIO;
 
-export {
-	## Identifier mappings
-	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
-}
-
 const DLT_IEEE802_11 : count = 105;
 
-redef dispatch_map += {
+event zeek_init() &priority=20
-	[DLT_IEEE802_11] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IEEE802_11)
+	{
-};
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, DLT_IEEE802_11, PacketAnalyzer::ANALYZER_IEEE802_11);
+	}

scripts/base/packet-protocols/ip/main.zeek

@@ -1,12 +1,8 @@
 module PacketAnalyzer::IP;
 
-export {
+event zeek_init() &priority=20
-	## Identifier mappings based on IP version (4 or 6)
+	{
-	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 4, PacketAnalyzer::ANALYZER_IPTUNNEL);
-}
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 41, PacketAnalyzer::ANALYZER_IPTUNNEL);
-
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 47, PacketAnalyzer::ANALYZER_GRE);
-redef dispatch_map += {
+	}
-	[4] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPTUNNEL),    # IPv4 tunnel
-	[41] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPTUNNEL),   # IPv6 tunnel
-	[47] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_GRE)
-};

scripts/base/packet-protocols/linux_sll/main.zeek

@@ -1,14 +1,11 @@
 module PacketAnalyzer::LINUXSLL;
 
-export {
+event zeek_init() &priority=20
-	## Identifier mappings based on EtherType
+	{
-	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 0x0800, PacketAnalyzer::ANALYZER_IP);
-}
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 0x86DD, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 0x0806, PacketAnalyzer::ANALYZER_ARP);
 
-redef dispatch_map += {
-	[0x0800] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
-	[0x86DD] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
-	[0x0806] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP),
 	# RARP
-	[0x8035] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP)
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 0x8035, PacketAnalyzer::ANALYZER_ARP);
-};
+	}

scripts/base/packet-protocols/nflog/main.zeek

@@ -1,14 +1,10 @@
 module PacketAnalyzer::NFLOG;
 
-export {
-	## Identifier mappings
-	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
-}
-
 const AF_INET : count = 2;
 const AF_INET6 : count = 10;
 
-redef dispatch_map += {
+event zeek_init() &priority=20
-	[AF_INET] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
+	{
-	[AF_INET6] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP)
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NFLOG, AF_INET, PacketAnalyzer::ANALYZER_IP);
-};
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NFLOG, AF_INET6, PacketAnalyzer::ANALYZER_IP);
+	}

scripts/base/packet-protocols/null/main.zeek

@@ -1,24 +1,18 @@
 module PacketAnalyzer::NULL;
 
-export {
-	## Identifier mappings
-	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
-}
-
 const DLT_NULL : count = 0;
 
-redef PacketAnalyzer::ROOT::dispatch_map += {
+event zeek_init() &priority=20
-	[DLT_NULL] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_NULL)
+	{
-};
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_NULL, PacketAnalyzer::ANALYZER_NULL);
 
-## From the Wireshark Wiki: AF_INET6ANALYZER, unfortunately, has different
+	# From the Wireshark Wiki: AF_INET6ANALYZER, unfortunately, has different
-## values in {NetBSD,OpenBSD,BSD/OS}, {FreeBSD,DragonFlyBSD}, and
+	# values in {NetBSD,OpenBSD,BSD/OS}, {FreeBSD,DragonFlyBSD}, and
-## {Darwin/macOS}, so an IPv6 packet might have a link-layer header with 24, 28,
+	# {Darwin/macOS}, so an IPv6 packet might have a link-layer header with 24, 28,
-## or 30 as the ``AF_`` value. As we may be reading traces captured on platforms
+	# or 30 as the ``AF_`` value. As we may be reading traces captured on platforms
-## other than what we're running on, we accept them all here.
+	# other than what we're running on, we accept them all here.
-redef dispatch_map += {
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 2, PacketAnalyzer::ANALYZER_IP);
-	 [2] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 24, PacketAnalyzer::ANALYZER_IP);
-	[24] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 28, PacketAnalyzer::ANALYZER_IP);
-	[28] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 30, PacketAnalyzer::ANALYZER_IP);
-	[30] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP)
+	}
-};

scripts/base/packet-protocols/ppp_serial/main.zeek

@@ -1,18 +1,12 @@
 module PacketAnalyzer::PPP_SERIAL;
 
-export {
-	## Identifier mappings
-	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
-}
-
 const DLT_PPP_SERIAL : count = 50;
 
-redef PacketAnalyzer::ROOT::dispatch_map += {
+event zeek_init() &priority=20
-	[DLT_PPP_SERIAL] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_PPPSERIAL)
+	{
-};
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_PPP_SERIAL, PacketAnalyzer::ANALYZER_PPPSERIAL);
 
-redef dispatch_map += {
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPSERIAL, 0x0281, PacketAnalyzer::ANALYZER_MPLS);
-	[0x0281] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_MPLS),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPSERIAL, 0x0021, PacketAnalyzer::ANALYZER_IP);
-	[0x0021] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPSERIAL, 0x0057, PacketAnalyzer::ANALYZER_IP);
-	[0x0057] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP)
+	}
-};

scripts/base/packet-protocols/pppoe/main.zeek

@@ -1,11 +1,7 @@
 module PacketAnalyzer::PPPOE;
 
-export {
+event zeek_init() &priority=20
-	## Identifier mappings
+	{
-	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPOE, 0x0021, PacketAnalyzer::ANALYZER_IP);
-}
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPOE, 0x0057, PacketAnalyzer::ANALYZER_IP);
-
+	}
-redef dispatch_map += {
-	[0x0021] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
-	[0x0057] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP)
-};

scripts/base/packet-protocols/root/main.zeek

@@ -3,9 +3,6 @@ module PacketAnalyzer::ROOT;
 export {
 	## Default analyzer (if we don't know the link type, we assume raw IP)
 	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
-
-	## Identifier mappings based on link type
-	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
 }
 
 const DLT_EN10MB : count = 1;
@@ -15,12 +12,12 @@ const DLT_IEEE802_11_RADIO : count = 127;
 const DLT_LINUX_SLL : count = 113;
 const DLT_NFLOG : count = 239;
 
-redef dispatch_map += {
+event zeek_init() &priority=20
-	[DLT_EN10MB] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ETHERNET),
+	{
-	[DLT_FDDI] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_FDDI),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_EN10MB, PacketAnalyzer::ANALYZER_ETHERNET);
-	[DLT_IEEE802_11] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IEEE802_11),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_FDDI, PacketAnalyzer::ANALYZER_FDDI);
-	[DLT_IEEE802_11_RADIO] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_IEEE802_11, PacketAnalyzer::ANALYZER_IEEE802_11);
-	[DLT_LINUX_SLL] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_LINUXSLL),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_IEEE802_11_RADIO, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO);
-	[DLT_NFLOG] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_NFLOG)
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_LINUX_SLL, PacketAnalyzer::ANALYZER_LINUXSLL);
-
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_NFLOG, PacketAnalyzer::ANALYZER_NFLOG);
-};
+	}

scripts/base/packet-protocols/vlan/main.zeek

@@ -1,16 +1,12 @@
 module PacketAnalyzer::VLAN;
 
-export {
+event zeek_init() &priority=20
-	## Identifier mappings based on EtherType
+	{
-	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8847, PacketAnalyzer::ANALYZER_MPLS);
-}
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x0800, PacketAnalyzer::ANALYZER_IP);
-
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x86DD, PacketAnalyzer::ANALYZER_IP);
-redef dispatch_map += {
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x0806, PacketAnalyzer::ANALYZER_ARP);
-   [0x8847] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_MPLS),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8035, PacketAnalyzer::ANALYZER_ARP);
-   [0x0800] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8100, PacketAnalyzer::ANALYZER_VLAN);
-   [0x86DD] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP),
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
-   [0x0806] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP),
+	}
-   [0x8035] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP),
-   [0x8100] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_VLAN),
-   [0x8864] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_PPPOE)
-};

src/CMakeLists.txt

@@ -112,6 +112,10 @@ set(BIF_SRCS
     # subdirectory BIFs are treated differently and don't support being called
     # *during* parsing (e.g. within an @if directive).
     supervisor/supervisor.bif
+    # The packet analysis BIF is treated like other top-level BIFs because
+    # it's needed before parsing the packet protocol scripts, which happen
+    # very near to the start of parsing.
+    packet_analysis/packet_analysis.bif
 )
 
 foreach (bift ${BIF_SRCS})

src/Func.cc

@@ -61,6 +61,7 @@
 #include "strings.bif.func_h"
 #include "option.bif.func_h"
 #include "supervisor.bif.func_h"
+#include "packet_analysis.bif.func_h"
 
 #include "zeek.bif.func_def"
 #include "stats.bif.func_def"
@@ -68,6 +69,7 @@
 #include "strings.bif.func_def"
 #include "option.bif.func_def"
 #include "supervisor.bif.func_def"
+#include "packet_analysis.bif.func_def"
 
 extern	RETSIGTYPE sig_handler(int signo);
 
@@ -929,6 +931,7 @@ void init_primary_bifs()
 #include "strings.bif.func_init"
 #include "option.bif.func_init"
 #include "supervisor.bif.func_init"
+#include "packet_analysis.bif.func_init"
 
 	init_builtin_types();
 	did_builtin_init = true;

src/NetVar.cc

@@ -207,6 +207,7 @@ static void bif_init_net_var()
 #include "const.bif.netvar_init"
 #include "reporter.bif.netvar_init"
 #include "supervisor.bif.netvar_init"
+#include "packet_analysis.bif.netvar_init"
 	}
 
 static void init_bif_types()
@@ -219,6 +220,7 @@ static void init_bif_types()
 #include "event.bif.netvar_def"
 #include "reporter.bif.netvar_def"
 #include "supervisor.bif.netvar_def"
+#include "packet_analysis.bif.netvar_def"
 
 // Re-open the namespace now that the bif headers are all included.
 namespace zeek::detail {

src/NetVar.h

@@ -345,3 +345,4 @@ extern zeek::StringVal* global_hash_seed;
 #include "event.bif.netvar_h"
 #include "reporter.bif.netvar_h"
 #include "supervisor.bif.netvar_h"
+#include "packet_analysis.bif.netvar_h"

src/Reporter.cc

@@ -49,7 +49,6 @@ Reporter::Reporter(bool arg_abort_on_scripting_errors)
 	info_to_stderr = true;
 	warnings_to_stderr = true;
 	errors_to_stderr = true;
-	after_zeek_init = false;
 
 	weird_count = 0;
 	weird_sampling_rate = 0;
@@ -662,4 +661,10 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		free(alloced);
 	}
 
+bool Reporter::EmitToStderr(bool flag)
+	{
+	return flag || ! run_state::detail::zeek_init_done;
+	}
+
+
 } // namespace zeek

src/Reporter.h

@@ -269,13 +269,6 @@ public:
 		this->weird_sampling_duration = weird_sampling_duration;
 		}
 
-	/**
-	 * Called after zeek_init() and toggles whether messages may stop being
-	 * emitted to stderr.
-	 */
-	void ZeekInitDone()
-		{ after_zeek_init = true; }
-
 private:
 	void DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		   Connection* conn, ValPList* addl, bool location, bool time,
@@ -296,8 +289,7 @@ private:
 	enum class PermitWeird { Allow, Deny, Unknown };
 	PermitWeird CheckGlobalWeirdLists(const char* name);
 
-	bool EmitToStderr(bool flag)
+	bool EmitToStderr(bool flag);
-		{ return flag || ! after_zeek_init; }
 
 	int errors;
 	bool via_events;
@@ -305,7 +297,6 @@ private:
 	bool info_to_stderr;
 	bool warnings_to_stderr;
 	bool errors_to_stderr;
-	bool after_zeek_init;
 	bool abort_on_scripting_errors = false;
 
 	std::list<std::pair<const detail::Location*, const detail::Location*> > locations;

src/RunState.cc

@@ -56,6 +56,7 @@ double first_wallclock = 0.0;
 double first_timestamp = 0.0;
 double current_wallclock = 0.0;
 double current_pseudo = 0.0;
+bool zeek_init_done = false;
 
 RETSIGTYPE watchdog(int /* signo */)
 	{

src/RunState.h

@@ -54,6 +54,8 @@ extern double first_timestamp;
 extern double current_wallclock;
 extern double current_pseudo;
 
+extern bool zeek_init_done;
+
 } // namespace detail
 
 // Functions to temporarily suspend processing of live input (network packets

src/broker/Manager.cc

@@ -129,7 +129,6 @@ Manager::Manager(bool arg_use_real_time)
 	{
 	bound_port = 0;
 	use_real_time = arg_use_real_time;
-	after_zeek_init = false;
 	peer_count = 0;
 	log_batch_size = 0;
 	log_topic_func = nullptr;
@@ -828,14 +827,14 @@ RecordVal* Manager::MakeEvent(ValPList* args, zeek::detail::Frame* frame)
 bool Manager::Subscribe(const string& topic_prefix)
 	{
 	DBG_LOG(DBG_BROKER, "Subscribing to topic prefix %s", topic_prefix.c_str());
-	bstate->subscriber.add_topic(topic_prefix, ! after_zeek_init);
+	bstate->subscriber.add_topic(topic_prefix, ! run_state::detail::zeek_init_done);
 
 	// For backward compatibility, we also may receive messages on
 	// "bro/" topic prefixes in addition to "zeek/".
 	if ( strncmp(topic_prefix.data(), "zeek/", 5) == 0 )
 		{
 		std::string alt_topic = "bro/" + topic_prefix.substr(5);
-		bstate->subscriber.add_topic(std::move(alt_topic), ! after_zeek_init);
+		bstate->subscriber.add_topic(std::move(alt_topic), ! run_state::detail::zeek_init_done);
 		}
 
 	return true;
@@ -864,7 +863,7 @@ bool Manager::Unsubscribe(const string& topic_prefix)
 			}
 
 	DBG_LOG(DBG_BROKER, "Unsubscribing from topic prefix %s", topic_prefix.c_str());
-	bstate->subscriber.remove_topic(topic_prefix, ! after_zeek_init);
+	bstate->subscriber.remove_topic(topic_prefix, ! run_state::detail::zeek_init_done);
 	return true;
 	}
 

src/broker/Manager.h

@@ -88,9 +88,6 @@ public:
 	 */
 	void InitPostScript();
 
-	void ZeekInitDone()
-		{ after_zeek_init = true; }
-
 	/**
 	 * Shuts Broker down at termination.
 	 */
@@ -424,7 +421,6 @@ private:
 
 	uint16_t bound_port;
 	bool use_real_time;
-	bool after_zeek_init;
 	int peer_count;
 
 	size_t log_batch_size;

src/packet_analysis/Analyzer.cc

@@ -1,9 +1,10 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "Analyzer.h"
+#include "zeek/packet_analysis/Analyzer.h"
 
-#include "Dict.h"
+#include "zeek/Dict.h"
-#include "DebugLogger.h"
+#include "zeek/DebugLogger.h"
+#include "zeek/RunState.h"
 
 namespace zeek::packet_analysis {
 
@@ -30,31 +31,6 @@ void Analyzer::Init(const Tag& _tag)
 void Analyzer::Initialize()
 	{
 	default_analyzer = LoadAnalyzer("default_analyzer");
-
-	// Create dispatcher based on configuration
-	auto& mapping_id = zeek::id::find(GetModuleName() + "dispatch_map");
-	if ( ! mapping_id )
-		return;
-
-	auto mapping_val = mapping_id->GetVal()->AsTableVal();
-	auto mapping_tbl = mapping_val->AsTable();
-	auto c = mapping_tbl->InitForIteration();
-
-	zeek::detail::HashKey* k = nullptr;
-	TableEntryVal* v;
-	while ( (v = mapping_tbl->NextEntry(k, c)) )
-		{
-		auto key = mapping_val->RecreateIndex(*k);
-		delete k;
-
-		auto identifier = key->Idx(0)->AsCount();
-		auto config_entry_val = v->GetVal()->AsRecordVal();
-
-		auto mapped_tag = config_entry_val->GetField("analyzer")->AsEnumVal();
-		auto mapped_analyzer = packet_mgr->GetAnalyzer(mapped_tag);
-
-		dispatcher.Register(identifier, std::move(mapped_analyzer));
-		}
 	}
 
 zeek::packet_analysis::AnalyzerPtr Analyzer::LoadAnalyzer(const std::string &name)
@@ -132,4 +108,12 @@ void Analyzer::DumpDebug() const
 #endif
 	}
 
+void Analyzer::RegisterProtocol(uint32_t identifier, AnalyzerPtr child)
+	{
+	if ( run_state::detail::zeek_init_done )
+		reporter->FatalError("Packet protocols cannot be registered after zeek_init has finished.");
+
+	dispatcher.Register(identifier, std::move(child));
+	}
+
 }

src/packet_analysis/Analyzer.h

@@ -85,6 +85,15 @@ public:
 	 */
 	void DumpDebug() const;
 
+	/**
+	 * Adds a protocol to this analyzer's dispatcher.
+	 *
+	 * @param idenfitier The identifier for the protocol being added.
+	 * @param child The analyzer that will be called for the new protocol during
+	 * forwarding.
+	 */
+	void RegisterProtocol(uint32_t identifier, AnalyzerPtr child);
+
 protected:
 	friend class Manager;
 

src/packet_analysis/CMakeLists.txt

@@ -14,7 +14,7 @@ set(packet_analysis_SRCS
     Manager.cc
     Component.cc
     Tag.cc
-)
+    )
 
 bro_add_subdir_library(packet_analysis ${packet_analysis_SRCS})
 add_dependencies(bro_packet_analysis generate_outputs)

src/packet_analysis/packet_analysis.bif

@@ -0,0 +1,49 @@
+module PacketAnalyzer;
+
+%%{
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Manager.h"
+
+%%}
+
+## Add an entry to parent's dispatcher that maps a protocol/index to a next-stage child analyzer.
+##
+## parent: The parent analyzer being modified
+## identifier: The identifier for the protocol being registered
+## child: The analyzer that will be called for the identifier
+##
+function register_packet_analyzer%(parent: PacketAnalyzer::Tag, identifier: count, child: PacketAnalyzer::Tag%): bool
+	%{
+	packet_analysis::AnalyzerPtr parent_analyzer = packet_mgr->GetAnalyzer(parent->AsEnumVal());
+	if ( ! parent_analyzer )
+		return zeek::val_mgr->False();
+
+	packet_analysis::AnalyzerPtr child_analyzer = packet_mgr->GetAnalyzer(child->AsEnumVal());
+	if ( ! child_analyzer )
+		return zeek::val_mgr->False();
+
+	parent_analyzer->RegisterProtocol(identifier, child_analyzer);
+	return zeek::val_mgr->True();
+	%}
+
+## Attempts to add an entry to `parent`'s dispatcher that maps a protocol/index to a next-stage `child` analyzer.
+## This may fail if either of the two names does not respond to a known analyzer.
+##
+## parent: The parent analyzer being modified
+## identifier: The identifier for the protocol being registered
+## child: The analyzer that will be called for the identifier
+##
+function try_register_packet_analyzer_by_name%(parent: string, identifier: count, child: string%):  bool
+	%{
+	packet_analysis::AnalyzerPtr parent_analyzer = packet_mgr->GetAnalyzer(parent->ToStdString());
+	if ( ! parent_analyzer )
+		return zeek::val_mgr->False();
+
+	packet_analysis::AnalyzerPtr child_analyzer = packet_mgr->GetAnalyzer(child->ToStdString());
+	if ( ! child_analyzer )
+		return zeek::val_mgr->False();
+
+	parent_analyzer->RegisterProtocol(identifier, child_analyzer);
+	return zeek::val_mgr->True();
+	%}

src/zeek-setup.cc

@@ -908,8 +908,7 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 	if ( reporter->Errors() > 0 && ! util::zeekenv("ZEEK_ALLOW_INIT_ERRORS") )
 		reporter->FatalError("errors occurred while initializing");
 
-	broker_mgr->ZeekInitDone();
+	run_state::detail::zeek_init_done = true;
-	reporter->ZeekInitDone();
 	analyzer_mgr->DumpDebug();
 	packet_mgr->DumpDebug();
 

testing/btest/Baseline/core.protocol-registration-error/.stderr

@@ -0,0 +1 @@
+fatal error: Packet protocols cannot be registered after zeek_init has finished.

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -1,9 +1,10 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2020-09-10-23-14-33
+#open XXXX-XX-XX-XX-XX-XX
 #fields	name
 #types	string
 scripts/base/init-bare.zeek
@@ -16,6 +17,7 @@ scripts/base/init-bare.zeek
   build/scripts/base/bif/option.bif.zeek
   scripts/base/frameworks/supervisor/api.zeek
   build/scripts/base/bif/supervisor.bif.zeek
+  build/scripts/base/bif/packet_analysis.bif.zeek
   build/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek
   build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek
   build/scripts/base/bif/event.bif.zeek
@@ -220,4 +222,4 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek
 scripts/policy/misc/loaded-scripts.zeek
   scripts/base/utils/paths.zeek
-#close	2020-09-10-23-14-33
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -1,9 +1,10 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2020-09-23-19-37-26
+#open XXXX-XX-XX-XX-XX-XX
 #fields	name
 #types	string
 scripts/base/init-bare.zeek
@@ -16,6 +17,7 @@ scripts/base/init-bare.zeek
   build/scripts/base/bif/option.bif.zeek
   scripts/base/frameworks/supervisor/api.zeek
   build/scripts/base/bif/supervisor.bif.zeek
+  build/scripts/base/bif/packet_analysis.bif.zeek
   build/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek
   build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek
   build/scripts/base/bif/event.bif.zeek
@@ -416,4 +418,4 @@ scripts/base/init-default.zeek
   scripts/base/misc/find-filtered-trace.zeek
   scripts/base/misc/version.zeek
 scripts/policy/misc/loaded-scripts.zeek
-#close	2020-09-23-19-37-26
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/core/protocol-registration-error.zeek

@@ -0,0 +1,12 @@
+# @TEST-EXEC-FAIL: zeek -b %INPUT
+# @TEST-EXEC: btest-diff .stderr
+
+event try_register()
+	{
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 12345, PacketAnalyzer::ANALYZER_ETHERNET);
+	}
+
+event zeek_init()
+	{
+	schedule 1sec { try_register() };
+	}

testing/btest/core/skip_analyzer.zeek

@@ -7,8 +7,9 @@
 @load base/protocols/conn
 @load base/frameworks/tunnels
 
-redef PacketAnalyzer::ROOT::dispatch_map += {
-	[1] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_SKIP)
-};
-
 redef PacketAnalyzer::SKIP::skip_bytes: count = 38;
+
+event zeek_init()
+	{
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 1, PacketAnalyzer::ANALYZER_SKIP);
+	}

testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/RawLayer/base/main.zeek

@@ -1,14 +1,7 @@
 module PacketAnalyzer::RAW_LAYER;
 
-export {
+event zeek_init()
-	## Identifier mapping
+	{
-	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x88B5, PacketAnalyzer::ANALYZER_RAW_LAYER);
-}
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_RAW_LAYER, 0x4950, PacketAnalyzer::ANALYZER_IP);
-
+	}
-redef PacketAnalyzer::ETHERNET::dispatch_map += {
-	[0x88B5] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_RAW_LAYER)
-};
-
-redef dispatch_map += {
-	[0x4950] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP)
-};