Extend packet analysis test.

testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc

@@ -1,17 +1,16 @@
-#include "Bar.h"
+#include "LLCDemo.h"
 #include "Event.h"
 #include "Val.h"
 #include "events.bif.h"
 
 using namespace zeek::packet_analysis::PacketDemo;
 
-Bar::Bar()
-	: zeek::packet_analysis::Analyzer("Bar")
+LLCDemo::LLCDemo()
+	: zeek::packet_analysis::Analyzer("LLCDemo")
 	{
 	}
 
-bool Bar::AnalyzePacket(size_t len,
-		const uint8_t* data, Packet* packet)
+bool LLCDemo::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	{
 	// Rudimentary parsing of 802.2 LLC
 	if ( 17 >= len )
@@ -24,7 +23,7 @@ bool Bar::AnalyzePacket(size_t len,
 	auto ssap = data[15];
 	auto control = data[16];
 
-	mgr.Enqueue(bar_message,
+	event_mgr.Enqueue(llc_demo_message,
 		val_mgr->Count(dsap),
 		val_mgr->Count(ssap),
 		val_mgr->Count(control));

testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h

@@ -5,16 +5,16 @@
 
 namespace zeek::packet_analysis::PacketDemo {
 
-class Bar : public Analyzer {
+class LLCDemo : public Analyzer {
 public:
-	Bar();
-	~Bar() override = default;
+	LLCDemo();
+	~LLCDemo() override = default;
 
 	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 
 	static AnalyzerPtr Instantiate()
 		{
-		return std::make_shared<Bar>();
+		return std::make_shared<LLCDemo>();
 		}
 };
 

testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc

@@ -1,7 +1,8 @@
 #include "Plugin.h"
 #include "packet_analysis/Component.h"
 
-#include "Bar.h"
+#include "RawLayer.h"
+#include "LLCDemo.h"
 
 namespace zeek::plugin::PacketDemo_Bar {
 
@@ -9,12 +10,14 @@ class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure()
 		{
-		AddComponent(new zeek::packet_analysis::Component("Bar",
-		                 zeek::packet_analysis::PacketDemo::Bar::Instantiate));
+		AddComponent(new zeek::packet_analysis::Component("RawLayer",
+		                 zeek::packet_analysis::PacketDemo::RawLayer::Instantiate));
+		AddComponent(new zeek::packet_analysis::Component("LLCDemo",
+		                 zeek::packet_analysis::PacketDemo::LLCDemo::Instantiate));
 
 		zeek::plugin::Configuration config;
 		config.name = "PacketDemo::Bar";
-		config.description = "A Bar packet analyzer.";
+		config.description = "Demo packet analyzers (RawLayer, LLC).";
 		config.version.major = 1;
 		config.version.minor = 0;
 		config.version.patch = 0;

testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc

@@ -0,0 +1,29 @@
+#include "RawLayer.h"
+#include "Event.h"
+#include "Val.h"
+#include "events.bif.h"
+
+using namespace zeek::packet_analysis::PacketDemo;
+
+RawLayer::RawLayer()
+	: zeek::packet_analysis::Analyzer("RawLayer")
+	{
+	}
+
+bool RawLayer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	constexpr auto layer_size = 21;
+	if ( layer_size >= len )
+		{
+		packet->Weird("truncated_raw_layer");
+		return false;
+		}
+
+	uint16_t protocol = ntohs(*((const uint16_t*)(data + layer_size -2)));
+
+	event_mgr.Enqueue(raw_layer_message,
+		make_intrusive<StringVal>(layer_size, reinterpret_cast<const char*>(data)),
+		val_mgr->Count(protocol));
+
+	return ForwardPacket(len - layer_size, data + layer_size, packet, protocol);
+	}

testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h

@@ -0,0 +1,21 @@
+#pragma once
+
+#include <packet_analysis/Analyzer.h>
+#include <packet_analysis/Component.h>
+
+namespace zeek::packet_analysis::PacketDemo {
+
+class RawLayer : public Analyzer {
+public:
+	RawLayer();
+	~RawLayer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<RawLayer>();
+		}
+};
+
+}

testing/btest/plugins/packet-protocol-plugin/src/events.bif

@@ -1,2 +1,3 @@
 
-event bar_message%(dsap: count, ssap: count, control: count%);
+event raw_layer_message%(message: string, protocol: count%);
+event llc_demo_message%(dsap: count, ssap: count, control: count%);