SessionAdapter: Introduce TapAnalyzer for session adapter

This commit introduces a mechanism to attach light weight analyzers to the root analyzer of sessions in order to tap into the packets delivered to child analyzer.
2025-10-02 06:38:20 +00:00 · 2025-08-02 12:32:32 +02:00 · 2025-08-02 12:32:32 +02:00 · dc904b2216
commit dc904b2216
parent 56325d1412
11 changed files with 355 additions and 5 deletions
--- a/testing/btest/Baseline/plugins.tap-analyzer/output
+++ b/testing/btest/Baseline/plugins.tap-analyzer/output
@ -0,0 +1,68 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+<...>/ip4-tcp-bad-chksum.pcap
+Init() uid=HhAvVGS1DHFjwGM9
+Analyzer added to HhAvVGS1DHFjwGM9
+Packet(len=54 orig=1, verdict=1 skip_reason=1) uid=HhAvVGS1DHFjwGM9
+Done() uid=HhAvVGS1DHFjwGM9
+===
+<...>/ip4-tcp-good-chksum.pcap
+Init() uid=HhAvVGS1DHFjwGM9
+Analyzer added to HhAvVGS1DHFjwGM9
+Packet(len=54 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Done() uid=HhAvVGS1DHFjwGM9
+===
+<...>/ip4-udp-bad-chksum.pcap
+Init() uid=HhAvVGS1DHFjwGM9
+Analyzer added to HhAvVGS1DHFjwGM9
+Packet(len=46 orig=1, verdict=1 skip_reason=1) uid=HhAvVGS1DHFjwGM9
+Done() uid=HhAvVGS1DHFjwGM9
+===
+<...>/ip4-udp-good-chksum.pcap
+Init() uid=HhAvVGS1DHFjwGM9
+Analyzer added to HhAvVGS1DHFjwGM9
+Packet(len=46 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Done() uid=HhAvVGS1DHFjwGM9
+===
+<...>/ip4-icmp-bad-chksum.pcap
+Init() uid=HhAvVGS1DHFjwGM9
+Analyzer added to HhAvVGS1DHFjwGM9
+Packet(len=42 orig=1, verdict=1 skip_reason=1) uid=HhAvVGS1DHFjwGM9
+Done() uid=HhAvVGS1DHFjwGM9
+===
+<...>/ip4-icmp-good-chksum.pcap
+Init() uid=HhAvVGS1DHFjwGM9
+Analyzer added to HhAvVGS1DHFjwGM9
+Packet(len=42 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Done() uid=HhAvVGS1DHFjwGM9
+===
+<...>/ip6-icmp6-bad-chksum.pcap
+Init() uid=HhAvVGS1DHFjwGM9
+Analyzer added to HhAvVGS1DHFjwGM9
+Packet(len=69 orig=1, verdict=1 skip_reason=1) uid=HhAvVGS1DHFjwGM9
+Done() uid=HhAvVGS1DHFjwGM9
+===
+<...>/ip6-icmp6-good-chksum.pcap
+Init() uid=HhAvVGS1DHFjwGM9
+Analyzer added to HhAvVGS1DHFjwGM9
+Packet(len=69 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Done() uid=HhAvVGS1DHFjwGM9
+===
+<...>/get.trace
+Init() uid=HhAvVGS1DHFjwGM9
+Analyzer added to HhAvVGS1DHFjwGM9
+Packet(len=78 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Packet(len=74 orig=0, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Packet(len=66 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Packet(len=202 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Packet(len=66 orig=0, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Packet(len=1514 orig=0, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Packet(len=1514 orig=0, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Packet(len=1514 orig=0, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Packet(len=729 orig=0, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Packet(len=66 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Packet(len=66 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Packet(len=66 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Packet(len=66 orig=0, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Packet(len=66 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9
+Done() uid=HhAvVGS1DHFjwGM9
+===
--- a/testing/btest/plugins/tap-analyzer-plugin/.btest-ignore
+++ b/testing/btest/plugins/tap-analyzer-plugin/.btest-ignore
--- a/testing/btest/plugins/tap-analyzer-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/tap-analyzer-plugin/src/Plugin.cc
@ -0,0 +1,60 @@
+#include "Plugin.h"
+
+#include <cstdio>
+#include <cstring>
+
+#include "zeek/Reporter.h"
+#include "zeek/analyzer/Analyzer.h"
+#include "zeek/analyzer/Manager.h"
+#include "zeek/analyzer/protocol/tcp/TCP.h"
+#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
+
+namespace {
+class MyTapAnalyzer : public zeek::packet_analysis::TapAnalyzer {
+public:
+    MyTapAnalyzer(zeek::Connection* conn) : conn(conn) {}
+
+    void TapPacket(const zeek::Packet& pkt, zeek::packet_analysis::PacketAction verdict,
+                   const zeek::packet_analysis::SkipReason skip_reason) override {
+        std::printf("Packet(len=%d orig=%d, verdict=%d skip_reason=%d) uid=%s\n", pkt.len, pkt.is_orig,
+                    static_cast<int>(verdict), static_cast<int>(skip_reason), conn->GetUID().Base62().c_str());
+    }
+
+    void Init() override { std::printf("Init() uid=%s\n", conn->GetUID().Base62().c_str()); }
+
+    void Done() override { std::printf("Done() uid=%s\n", conn->GetUID().Base62().c_str()); }
+
+private:
+    zeek::Connection* conn = nullptr;
+};
+} // namespace
+
+
+namespace btest::plugin::Demo_TapAnalyzer {
+
+Plugin plugin;
+
+zeek::plugin::Configuration Plugin::Configure() {
+    EnableHook(zeek::plugin::HOOK_SETUP_ANALYZER_TREE);
+
+    zeek::plugin::Configuration config;
+    config.name = "Demo::TapAnalyzer";
+    config.description = "Testing the TapAnalyzer";
+    config.version = {1, 0, 0};
+    return config;
+}
+
+void Plugin::HookSetupAnalyzerTree(zeek::Connection* conn) {
+    // Init the uid for GetUID()
+    conn->GetVal();
+
+    auto analyzer = std::make_unique<MyTapAnalyzer>(conn);
+
+    auto* adapter = conn->GetSessionAdapter();
+    adapter->AddTapAnalyzer(std::move(analyzer));
+
+
+    std::printf("Analyzer added to %s\n", conn->GetUID().Base62().c_str());
+}
+
+} // namespace btest::plugin::Demo_TapAnalyzer
--- a/testing/btest/plugins/tap-analyzer-plugin/src/Plugin.h
+++ b/testing/btest/plugins/tap-analyzer-plugin/src/Plugin.h
@ -0,0 +1,18 @@
+
+#pragma once
+
+#include "zeek/plugin/Plugin.h"
+
+namespace btest::plugin::Demo_TapAnalyzer {
+
+class Plugin : public zeek::plugin::Plugin {
+protected:
+    void HookSetupAnalyzerTree(zeek::Connection* conn) override;
+
+    // Overridden from zeek::plugin::Plugin.
+    zeek::plugin::Configuration Configure() override;
+};
+
+extern Plugin plugin;
+
+} // namespace btest::plugin::Demo_TapAnalyzer
--- a/testing/btest/plugins/tap-analyzer.zeek
+++ b/testing/btest/plugins/tap-analyzer.zeek
@ -0,0 +1,28 @@
+# @TEST-DOC: A plugin hooking HookSetupAnalyzerTree() to attach a TapAnalyzer to every connection.
+#
+# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo TapAnalyzer
+# @TEST-EXEC: cp -r %DIR/tap-analyzer-plugin/* .
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
+#
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::TapAnalyzer" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/chksums/ip4-tcp-bad-chksum.pcap %INPUT >>output
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::TapAnalyzer" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/chksums/ip4-tcp-good-chksum.pcap %INPUT >>output
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::TapAnalyzer" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/chksums/ip4-udp-bad-chksum.pcap %INPUT >>output
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::TapAnalyzer" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >>output
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::TapAnalyzer" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/chksums/ip4-icmp-bad-chksum.pcap %INPUT >>output
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::TapAnalyzer" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >>output
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::TapAnalyzer" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/chksums/ip6-icmp6-bad-chksum.pcap %INPUT >>output
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::TapAnalyzer" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/chksums/ip6-icmp6-good-chksum.pcap %INPUT >>output
+#
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::TapAnalyzer" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/http/get.trace %INPUT >>output
+#
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+event zeek_init()
+	{
+	print packet_source()$path;
+	}
+
+event zeek_done()
+	{
+	print "===";
+	}