Extend packet analysis test.

testing/btest/Baseline/plugins.packet-protocol/output

@@ -1,9 +0,0 @@
-PacketDemo::Bar - A Bar packet analyzer. (dynamic, version 1.0.0)
-    [Packet Analyzer] Bar (ANALYZER_BAR)
-    [Event] bar_message
-
-===
-bar_message (DSAP = 42, SSAP = 42, Control = 3)
-bar_message (DSAP = 42, SSAP = 42, Control = 3)
-bar_message (DSAP = 42, SSAP = 42, Control = 3)
-bar_message (DSAP = 42, SSAP = 42, Control = 3)

testing/btest/Baseline/plugins.packet-protocol/output_build

@@ -0,0 +1,6 @@
+PacketDemo::Bar - Demo packet analyzers (RawLayer, LLC). (dynamic, version 1.0.0)
+    [Packet Analyzer] LLCDemo (ANALYZER_LLCDEMO)
+    [Packet Analyzer] RawLayer (ANALYZER_RAWLAYER)
+    [Event] raw_layer_message
+    [Event] llc_demo_message
+

testing/btest/Baseline/plugins.packet-protocol/output_llc

@@ -0,0 +1,4 @@
+llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
+llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
+llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
+llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)

testing/btest/Baseline/plugins.packet-protocol/output_orig

@@ -0,0 +1,20 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2020-09-02-18-56-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1599068759.619112	CHhAvVGS1DHFjwGM9	172.22.214.60	8	192.0.78.212	0	icmp	-	-	-	-	OTH	-	-	0	-	1	28	0	0	-
+#close	2020-09-02-18-56-02
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2020-09-02-18-56-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1599068759.647566	-	-	-	-	-	truncated_IP	-	F	zeek
+#close	2020-09-02-18-56-02

testing/btest/Baseline/plugins.packet-protocol/output_raw

@@ -0,0 +1,12 @@
+raw_layer_message (Message = 'I am encapsulating IP', Protocol = 4950)
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2020-09-03-17-54-45
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1599068759.647566	ClEkJM2Vm5giqnMf4h	172.22.214.60	8	192.0.78.150	0	icmp	-	-	-	-	OTH	-	-	0	-	1	28	0	0	-
+1599068759.619112	CHhAvVGS1DHFjwGM9	172.22.214.60	8	192.0.78.212	0	icmp	-	-	-	-	OTH	-	-	0	-	1	28	0	0	-
+#close	2020-09-03-17-54-45

testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt

@@ -1,5 +1,5 @@
 
-project(Zeek-Packet-Plugin-Demo-Bar)
+project(Zeek-Packet-Plugin-Demo)
 
 cmake_minimum_required(VERSION 2.6.3)
 
@@ -13,6 +13,7 @@ include(ZeekPlugin)
 
 zeek_plugin_begin(PacketDemo Bar)
 zeek_plugin_cc(src/Plugin.cc)
-zeek_plugin_cc(src/Bar.cc)
+zeek_plugin_cc(src/RawLayer.cc)
+zeek_plugin_cc(src/LLCDemo.cc)
 zeek_plugin_bif(src/events.bif)
 zeek_plugin_end()

testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/LLCDemo/base/main.zeek

@@ -1,3 +1,3 @@
-module Packet_BAR;
+module Packet_LLC_Demo;
 
-redef PacketAnalyzer::Ethernet::llc_analyzer = PacketAnalyzer::ANALYZER_BAR;
+redef PacketAnalyzer::Ethernet::llc_analyzer = PacketAnalyzer::ANALYZER_LLCDEMO;

testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/RawLayer/base/main.zeek

@@ -0,0 +1,6 @@
+module Packet_Raw_Layer;
+
+redef PacketAnalyzer::config_map += {
+	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88B5, $analyzer=PacketAnalyzer::ANALYZER_RAWLAYER),
+	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_RAWLAYER, $identifier=0x4950, $analyzer=PacketAnalyzer::ANALYZER_IP)
+};

testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek

@@ -1 +1,2 @@
-@load PacketDemo/Bar/base/main
+@load PacketDemo/RawLayer/base/main
+@load PacketDemo/LLCDemo/base/main

testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc

@@ -1,17 +1,16 @@
-#include "Bar.h"
+#include "LLCDemo.h"
 #include "Event.h"
 #include "Val.h"
 #include "events.bif.h"
 
 using namespace zeek::packet_analysis::PacketDemo;
 
-Bar::Bar()
+LLCDemo::LLCDemo()
-	: zeek::packet_analysis::Analyzer("Bar")
+	: zeek::packet_analysis::Analyzer("LLCDemo")
 	{
 	}
 
-bool Bar::AnalyzePacket(size_t len,
+bool LLCDemo::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
-		const uint8_t* data, Packet* packet)
 	{
 	// Rudimentary parsing of 802.2 LLC
 	if ( 17 >= len )
@@ -24,7 +23,7 @@ bool Bar::AnalyzePacket(size_t len,
 	auto ssap = data[15];
 	auto control = data[16];
 
-	mgr.Enqueue(bar_message,
+	event_mgr.Enqueue(llc_demo_message,
 		val_mgr->Count(dsap),
 		val_mgr->Count(ssap),
 		val_mgr->Count(control));

testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h

@@ -5,16 +5,16 @@
 
 namespace zeek::packet_analysis::PacketDemo {
 
-class Bar : public Analyzer {
+class LLCDemo : public Analyzer {
 public:
-	Bar();
+	LLCDemo();
-	~Bar() override = default;
+	~LLCDemo() override = default;
 
 	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 
 	static AnalyzerPtr Instantiate()
 		{
-		return std::make_shared<Bar>();
+		return std::make_shared<LLCDemo>();
 		}
 };
 

testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc

@@ -1,7 +1,8 @@
 #include "Plugin.h"
 #include "packet_analysis/Component.h"
 
-#include "Bar.h"
+#include "RawLayer.h"
+#include "LLCDemo.h"
 
 namespace zeek::plugin::PacketDemo_Bar {
 
@@ -9,12 +10,14 @@ class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure()
 		{
-		AddComponent(new zeek::packet_analysis::Component("Bar",
+		AddComponent(new zeek::packet_analysis::Component("RawLayer",
-		                 zeek::packet_analysis::PacketDemo::Bar::Instantiate));
+		                 zeek::packet_analysis::PacketDemo::RawLayer::Instantiate));
+		AddComponent(new zeek::packet_analysis::Component("LLCDemo",
+		                 zeek::packet_analysis::PacketDemo::LLCDemo::Instantiate));
 
 		zeek::plugin::Configuration config;
 		config.name = "PacketDemo::Bar";
-		config.description = "A Bar packet analyzer.";
+		config.description = "Demo packet analyzers (RawLayer, LLC).";
 		config.version.major = 1;
 		config.version.minor = 0;
 		config.version.patch = 0;

testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc

@@ -0,0 +1,29 @@
+#include "RawLayer.h"
+#include "Event.h"
+#include "Val.h"
+#include "events.bif.h"
+
+using namespace zeek::packet_analysis::PacketDemo;
+
+RawLayer::RawLayer()
+	: zeek::packet_analysis::Analyzer("RawLayer")
+	{
+	}
+
+bool RawLayer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	constexpr auto layer_size = 21;
+	if ( layer_size >= len )
+		{
+		packet->Weird("truncated_raw_layer");
+		return false;
+		}
+
+	uint16_t protocol = ntohs(*((const uint16_t*)(data + layer_size -2)));
+
+	event_mgr.Enqueue(raw_layer_message,
+		make_intrusive<StringVal>(layer_size, reinterpret_cast<const char*>(data)),
+		val_mgr->Count(protocol));
+
+	return ForwardPacket(len - layer_size, data + layer_size, packet, protocol);
+	}

testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h

@@ -0,0 +1,21 @@
+#pragma once
+
+#include <packet_analysis/Analyzer.h>
+#include <packet_analysis/Component.h>
+
+namespace zeek::packet_analysis::PacketDemo {
+
+class RawLayer : public Analyzer {
+public:
+	RawLayer();
+	~RawLayer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<RawLayer>();
+		}
+};
+
+}

testing/btest/plugins/packet-protocol-plugin/src/events.bif

@@ -1,2 +1,3 @@
 
-event bar_message%(dsap: count, ssap: count, control: count%);
+event raw_layer_message%(message: string, protocol: count%);
+event llc_demo_message%(dsap: count, ssap: count, control: count%);

testing/btest/plugins/packet-protocol.zeek

@@ -1,14 +1,32 @@
+# @TEST-EXEC: zeek -r $TRACES/raw_layer.pcap
+# @TEST-EXEC: cat conn.log > output_orig
+# @TEST-EXEC: cat weird.log >> output_orig
+# @TEST-EXEC: btest-diff output_orig
+# @TEST-EXEC: rm -f *.log
+#
 # @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . PacketDemo Bar
 # @TEST-EXEC: cp -r %DIR/packet-protocol-plugin/* .
 # @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
-# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN PacketDemo::Bar >>output
+# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN PacketDemo::Bar > output_build
-# @TEST-EXEC: echo === >>output
+# @TEST-EXEC: btest-diff output_build
-# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/raw_packets.trace %INPUT >>output
+#
-# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output
+# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/raw_layer.pcap %INPUT > output_raw
+# @TEST-EXEC: cat conn.log >> output_raw
+# @TEST-EXEC: test ! -e weird.log
+# @TEST-EXEC: btest-diff output_raw
+# @TEST-EXEC: rm -f *.log
+#
+# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/raw_packets.trace %INPUT > output_llc
+# @TEST-EXEC: btest-diff output_llc
 
-event bar_message(dsap: count, ssap: count, control: count)
+event raw_layer_message(msg: string, protocol: count)
 	{
-	print fmt("bar_message (DSAP = %x, SSAP = %x, Control = %x)",
+	print fmt("raw_layer_message (Message = '%s', Protocol = %x)", msg, protocol);
+	}
+
+event llc_demo_message(dsap: count, ssap: count, control: count)
+	{
+	print fmt("llc_demo_message (DSAP = %x, SSAP = %x, Control = %x)",
 	 dsap, ssap, control);
 	}