Merge remote-tracking branch 'origin/topic/timw/2324-llc-snap-and-novell-oh-my'

* origin/topic/timw/2324-llc-snap-and-novell-oh-my:
  Update docs and NEWS to include LLC, SNAP, and Novell packet analyzers
  Fix length checks in VLAN/Ethernet analyzers for non-ethertype protocols
  Add forwarding from VLAN analyzer into LLC, SNAP, and Novell 802.3 analyzers
  Remove non-standard way of forwarding out of the Ethernet analyzer
  Add basic LLC, SNAP, and Novell 802.3 packet analyzers
  ARP: add support for IEEE802 hardware type

CHANGES

@@ -1,3 +1,17 @@
+6.0.0-dev.437 | 2023-04-25 13:07:57 -0700
+
+  * Update docs and NEWS to include LLC, SNAP, and Novell packet analyzers (Tim Wojtulewicz)
+
+  * Fix length checks in VLAN/Ethernet analyzers for non-ethertype protocols (Tim Wojtulewicz, Corelight)
+
+  * Add forwarding from VLAN analyzer into LLC, SNAP, and Novell 802.3 analyzers (Tim Wojtulewicz, Corelight)
+
+  * Remove non-standard way of forwarding out of the Ethernet analyzer (Tim Wojtulewicz, Corelight)
+
+  * Add basic LLC, SNAP, and Novell 802.3 packet analyzers (Tim Wojtulewicz, Corelight)
+
+  * ARP: add support for IEEE802 hardware type (Tim Wojtulewicz, Corelight)
+
 6.0.0-dev.430 | 2023-04-25 11:37:44 -0700
 
   * Merge branch 'topic/timw/2167-aruba-expansion' (Tim Wojtulewicz)

NEWS

@@ -196,6 +196,9 @@ New Functionality
   recognize CCMP-encrypted packets. These encrypted packets are currently
   dropped to Zeek's inability to do anything with them.
 
+- Add packet analzyers for LLC, SNAP, and Novell 802.3, called from the Ethernet
+  and VLAN analyzers by default.
+
 Changed Functionality
 ---------------------
 

VERSION

@@ -1 +1 @@
-6.0.0-dev.430
+6.0.0-dev.437

doc

@@ -1 +1 @@
-Subproject commit 6ccf06f0f6b0c24f120160aeb05307e4c4a44975
+Subproject commit 5e587855fe04723f902dd74cf4ad868599cd2c02

scripts/base/packet-protocols/__load__.zeek

@@ -20,6 +20,9 @@
 @load base/packet-protocols/udp
 @load base/packet-protocols/tcp
 @load base/packet-protocols/icmp
+@load base/packet-protocols/llc
+@load base/packet-protocols/novell_802_3
+@load base/packet-protocols/snap
 
 @load base/packet-protocols/gre
 @load base/packet-protocols/iptunnel

scripts/base/packet-protocols/ethernet/main.zeek

@@ -1,13 +1,13 @@
 module PacketAnalyzer::ETHERNET;
 
-export {
-	## IEEE 802.2 SNAP analyzer
-	global snap_analyzer: PacketAnalyzer::Tag &redef;
-	## Novell raw IEEE 802.3 analyzer
-	global novell_raw_analyzer: PacketAnalyzer::Tag &redef;
-	## IEEE 802.2 LLC analyzer
-	global llc_analyzer: PacketAnalyzer::Tag &redef;
-}
+export
+	{
+	# We use some magic numbers here to denote these. The values here are outside the range of the
+	# standard ethertypes, which should always be above 1536.
+	const SNAP_FORWARDING_KEY : count = 0x0001;
+	const NOVELL_FORWARDING_KEY : count = 0x0002;
+	const LLC_FORWARDING_KEY : count = 0x0003;
+	}
 
 event zeek_init() &priority=20
 	{
@@ -22,4 +22,11 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x9100, PacketAnalyzer::ANALYZER_VLAN);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8926, PacketAnalyzer::ANALYZER_VNTAG);
+
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, SNAP_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_SNAP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, NOVELL_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_NOVELL_802_3);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, LLC_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_LLC);
 	}

scripts/base/packet-protocols/llc/__load__.zeek

@@ -0,0 +1 @@
+@load ./main

scripts/base/packet-protocols/llc/main.zeek

@@ -0,0 +1 @@
+module PacketAnalyzer::LLC;

scripts/base/packet-protocols/novell_802_3/__load__.zeek

@@ -0,0 +1 @@
+@load ./main

scripts/base/packet-protocols/novell_802_3/main.zeek

@@ -0,0 +1,6 @@
+module PacketAnalyzer::NOVELL_802_3;
+
+export {
+	# The Novell 802.3 protocol should expect an IPX analyzer here. Since
+	# one doesn't exist yet, the default analyzer is left undefined.
+}

scripts/base/packet-protocols/snap/__load__.zeek

@@ -0,0 +1 @@
+@load ./main

scripts/base/packet-protocols/snap/main.zeek

@@ -0,0 +1,9 @@
+module PacketAnalyzer::SNAP;
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 0x0800, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 0x86DD, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 0x0806, PacketAnalyzer::ANALYZER_ARP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 0x8035, PacketAnalyzer::ANALYZER_ARP);
+	}

scripts/base/packet-protocols/vlan/main.zeek

@@ -1,5 +1,14 @@
 module PacketAnalyzer::VLAN;
 
+export
+	{
+	# We use some magic numbers here to denote these. The values here are outside the range of the
+	# standard ethertypes, which should always be above 1536.
+	const SNAP_FORWARDING_KEY : count = 0x0001;
+	const NOVELL_FORWARDING_KEY : count = 0x0002;
+	const LLC_FORWARDING_KEY : count = 0x0003;
+	}
+
 event zeek_init() &priority=20
 	{
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8847, PacketAnalyzer::ANALYZER_MPLS);
@@ -10,4 +19,11 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8035, PacketAnalyzer::ANALYZER_ARP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8100, PacketAnalyzer::ANALYZER_VLAN);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
+
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, SNAP_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_SNAP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, NOVELL_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_NOVELL_802_3);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, LLC_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_LLC);
 	}

src/packet_analysis/protocol/CMakeLists.txt

@@ -14,6 +14,9 @@ add_subdirectory(mpls)
 add_subdirectory(pbb)
 add_subdirectory(linux_sll)
 add_subdirectory(linux_sll2)
+add_subdirectory(llc)
+add_subdirectory(snap)
+add_subdirectory(novell_802_3)
 
 add_subdirectory(arp)
 add_subdirectory(ip)

src/packet_analysis/protocol/arp/ARP.cc

@@ -79,6 +79,11 @@ ARPAnalyzer::ARPAnalyzer() : zeek::packet_analysis::Analyzer("ARP") { }
 #define ARPOP_INVREPLY ARPOP_InREPLY
 #endif
 
+// Windows doesn't define this value.
+#ifndef ARPHRD_IEEE802
+#define ARPHRD_IEEE802 6
+#endif
+
 bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	{
 	packet->l3_proto = L3_ARP;
@@ -110,6 +115,7 @@ bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	switch ( ntohs(ah->ar_hrd) )
 		{
 		case ARPHRD_ETHER:
+		case ARPHRD_IEEE802:
 			if ( ah->ar_hln != 6 )
 				{
 				// don't know how to handle the opcode

src/packet_analysis/protocol/ethernet/Ethernet.cc

@@ -6,15 +6,12 @@
 
 using namespace zeek::packet_analysis::Ethernet;
 
-EthernetAnalyzer::EthernetAnalyzer() : zeek::packet_analysis::Analyzer("Ethernet") { }
-
-void EthernetAnalyzer::Initialize()
+EthernetAnalyzer::EthernetAnalyzer() : zeek::packet_analysis::Analyzer("Ethernet")
 	{
-	Analyzer::Initialize();
-
-	SNAPAnalyzer = LoadAnalyzer("snap_analyzer");
-	NovellRawAnalyzer = LoadAnalyzer("novell_raw_analyzer");
-	LLCAnalyzer = LoadAnalyzer("llc_analyzer");
+	snap_forwarding_key = id::find_val("PacketAnalyzer::ETHERNET::SNAP_FORWARDING_KEY")->AsCount();
+	novell_forwarding_key =
+		id::find_val("PacketAnalyzer::ETHERNET::NOVELL_FORWARDING_KEY")->AsCount();
+	llc_forwarding_key = id::find_val("PacketAnalyzer::ETHERNET::LLC_FORWARDING_KEY")->AsCount();
 	}
 
 bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
@@ -56,31 +53,25 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 	// Other ethernet frame types
 	if ( protocol <= 1500 )
 		{
-		if ( 16 >= len )
+		len -= 14;
+		data += 14;
+
+		if ( len < protocol )
 			{
 			Weird("truncated_ethernet_frame", packet);
 			return false;
 			}
 
 		// Let specialized analyzers take over for non Ethernet II frames.
-		// Note that pdata remains at the start of the ethernet frame.
-
-		AnalyzerPtr eth_analyzer = nullptr;
-
-		if ( data[14] == 0xAA && data[15] == 0xAA )
+		if ( data[0] == 0xAA && data[1] == 0xAA )
 			// IEEE 802.2 SNAP
-			eth_analyzer = SNAPAnalyzer;
-		else if ( data[14] == 0xFF && data[15] == 0xFF )
+			return ForwardPacket(len, data, packet, snap_forwarding_key);
+		else if ( data[0] == 0xFF && data[1] == 0xFF )
 			// Novell raw IEEE 802.3
-			eth_analyzer = NovellRawAnalyzer;
+			return ForwardPacket(len, data, packet, novell_forwarding_key);
 		else
 			// IEEE 802.2 LLC
-			eth_analyzer = LLCAnalyzer;
-
-		if ( eth_analyzer )
-			return eth_analyzer->AnalyzePacket(len, data, packet);
-
-		return true;
+			return ForwardPacket(len, data, packet, llc_forwarding_key);
 		}
 
 	// Undefined (1500 < EtherType < 1536)

src/packet_analysis/protocol/ethernet/Ethernet.h

@@ -14,7 +14,6 @@ public:
 	EthernetAnalyzer();
 	~EthernetAnalyzer() override = default;
 
-	void Initialize() override;
 	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
@@ -23,9 +22,9 @@ public:
 		}
 
 private:
-	AnalyzerPtr SNAPAnalyzer = nullptr;
-	AnalyzerPtr NovellRawAnalyzer = nullptr;
-	AnalyzerPtr LLCAnalyzer = nullptr;
+	zeek_uint_t snap_forwarding_key = 0;
+	zeek_uint_t novell_forwarding_key = 0;
+	zeek_uint_t llc_forwarding_key = 0;
 	};
 
 	}

src/packet_analysis/protocol/llc/CMakeLists.txt

@@ -0,0 +1,7 @@
+zeek_add_plugin(
+    PacketAnalyzer
+    LLC
+    SOURCES
+        LLC.cc
+        Plugin.cc
+)

src/packet_analysis/protocol/llc/LLC.cc

@@ -0,0 +1,34 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/llc/LLC.h"
+
+using namespace zeek::packet_analysis::LLC;
+
+LLCAnalyzer::LLCAnalyzer() : zeek::packet_analysis::Analyzer("LLC") { }
+
+bool LLCAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// An LLC header is at least 3 bytes, check for that first.
+	if ( len < 3 )
+		{
+		Weird("truncated_llc_header", packet);
+		return false;
+		}
+
+	// If the control field doesn't have an unnumbered PDU, the header is actually 4
+	// bytes long. Whether this is unnumbered is denoted by the last two bits being
+	// set.
+	int llc_header_len = 3;
+	if ( (data[2] & 0x03) != 0x03 )
+		llc_header_len++;
+
+	if ( len < llc_header_len )
+		{
+		Weird("truncated_llc_header", packet);
+		return false;
+		}
+
+	// The destination SAP should be the next protocol in the chain, so forward
+	// based on that value. The DSAP is the first byte in header.
+	return ForwardPacket(len, data, packet, data[0]);
+	}

src/packet_analysis/protocol/llc/LLC.h

@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::LLC
+	{
+
+class LLCAnalyzer : public Analyzer
+	{
+public:
+	LLCAnalyzer();
+	~LLCAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<LLCAnalyzer>();
+		}
+	};
+
+	}

src/packet_analysis/protocol/llc/Plugin.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/llc/LLC.h"
+
+namespace zeek::plugin::Zeek_LLC
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"LLC", zeek::packet_analysis::LLC::LLCAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::LLC";
+		config.description = "LLC packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}

src/packet_analysis/protocol/novell_802_3/CMakeLists.txt

@@ -0,0 +1,7 @@
+zeek_add_plugin(
+    PacketAnalyzer
+    Novell_802_3
+    SOURCES
+        Novell_802_3.cc
+        Plugin.cc
+)

src/packet_analysis/protocol/novell_802_3/Novell_802_3.cc

@@ -0,0 +1,14 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/novell_802_3/Novell_802_3.h"
+
+using namespace zeek::packet_analysis::Novell_802_3;
+
+Novell_802_3Analyzer::Novell_802_3Analyzer() : zeek::packet_analysis::Analyzer("Novell_802_3") { }
+
+bool Novell_802_3Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// Attempt to forward into the default analyzer, if one exists. This should be an IPX analyzer,
+	// but one doesn't exist yet.
+	return ForwardPacket(len, data, packet);
+	}

src/packet_analysis/protocol/novell_802_3/Novell_802_3.h

@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::Novell_802_3
+	{
+
+class Novell_802_3Analyzer : public Analyzer
+	{
+public:
+	Novell_802_3Analyzer();
+	~Novell_802_3Analyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<Novell_802_3Analyzer>();
+		}
+	};
+
+	}

src/packet_analysis/protocol/novell_802_3/Plugin.cc

@@ -0,0 +1,28 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/novell_802_3/Novell_802_3.h"
+
+namespace zeek::plugin::Zeek_Novell_802_3
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"NOVELL_802_3",
+			zeek::packet_analysis::Novell_802_3::Novell_802_3Analyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::NOVELL_802_3";
+		config.description = "Novell 802.3 variantx packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}

src/packet_analysis/protocol/snap/CMakeLists.txt

@@ -0,0 +1,7 @@
+zeek_add_plugin(
+    PacketAnalyzer
+    SNAP
+    SOURCES
+        SNAP.cc
+        Plugin.cc
+)

src/packet_analysis/protocol/snap/Plugin.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/snap/SNAP.h"
+
+namespace zeek::plugin::Zeek_SNAP
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"SNAP", zeek::packet_analysis::SNAP::SNAPAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::SNAP";
+		config.description = "SNAP packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}

src/packet_analysis/protocol/snap/SNAP.cc

@@ -0,0 +1,50 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/snap/SNAP.h"
+
+using namespace zeek::packet_analysis::SNAP;
+
+SNAPAnalyzer::SNAPAnalyzer() : zeek::packet_analysis::Analyzer("SNAP") { }
+
+bool SNAPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// The first part of the header is an LLC header, which we need to determine the
+	// length of the full header. Check to see if the shorter 3-byte version will fit.
+	if ( len < 3 )
+		{
+		Weird("truncated_snap_llc_header", packet);
+		return false;
+		}
+
+	// If the control field doesn't have an unnumbered PDU, the header is actually 4
+	// bytes long. Whether this is unnumbered is denoted by the last two bits being
+	// set.
+	int llc_header_len = 3;
+	if ( (data[2] & 0x03) != 0x03 )
+		llc_header_len++;
+
+	// Check the full length of the SNAP header, which is the LLC header plus 5 bytes.
+	if ( len < llc_header_len + 5 )
+		{
+		Weird("truncated_snap_header", packet);
+		return false;
+		}
+
+	data += llc_header_len;
+	len -= llc_header_len;
+
+	int oui = (data[0] << 16) | (data[1] << 8) | data[2];
+	int protocol = (data[3] << 8) | data[4];
+
+	data += 5;
+	len -= 5;
+
+	if ( oui == 0 )
+		{
+		// If the OUI is zero, the protocol is a standard ethertype and can be
+		// forwarded as such.
+		return ForwardPacket(len, data, packet, protocol);
+		}
+
+	return true;
+	}

src/packet_analysis/protocol/snap/SNAP.h

@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::SNAP
+	{
+
+class SNAPAnalyzer : public Analyzer
+	{
+public:
+	SNAPAnalyzer();
+	~SNAPAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<SNAPAnalyzer>();
+		}
+	};
+
+	}

src/packet_analysis/protocol/vlan/VLAN.cc

@@ -4,7 +4,12 @@
 
 using namespace zeek::packet_analysis::VLAN;
 
-VLANAnalyzer::VLANAnalyzer() : zeek::packet_analysis::Analyzer("VLAN") { }
+VLANAnalyzer::VLANAnalyzer() : zeek::packet_analysis::Analyzer("VLAN")
+	{
+	snap_forwarding_key = id::find_val("PacketAnalyzer::VLAN::SNAP_FORWARDING_KEY")->AsCount();
+	novell_forwarding_key = id::find_val("PacketAnalyzer::VLAN::NOVELL_FORWARDING_KEY")->AsCount();
+	llc_forwarding_key = id::find_val("PacketAnalyzer::VLAN::LLC_FORWARDING_KEY")->AsCount();
+	}
 
 bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	{
@@ -17,8 +22,39 @@ bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet
 	auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan;
 	vlan_ref = ((data[0] << 8u) + data[1]) & 0xfff;
 
+	// Get the protocol/length field from the last 2 bytes of the header.
 	uint32_t protocol = ((data[2] << 8u) + data[3]);
+
+	if ( protocol >= 1536 )
+		{
 		packet->eth_type = protocol;
 		// Skip the VLAN header
 		return ForwardPacket(len - 4, data + 4, packet, protocol);
 		}
+
+	if ( protocol <= 1500 )
+		{
+		// Skip over the VLAN header
+		len -= 4;
+		data += 4;
+
+		if ( len < protocol )
+			{
+			Weird("truncated_vlan_frame", packet);
+			return false;
+			}
+
+		if ( data[0] == 0xAA && data[1] == 0xAA )
+			// IEEE 802.2 SNAP
+			return ForwardPacket(len, data, packet, snap_forwarding_key);
+		else if ( data[0] == 0xFF && data[1] == 0xFF )
+			// Novell raw IEEE 802.3
+			return ForwardPacket(len, data, packet, novell_forwarding_key);
+		else
+			// IEEE 802.2 LLC
+			return ForwardPacket(len, data, packet, llc_forwarding_key);
+		}
+
+	Weird("undefined_vlan_protocol", packet);
+	return false;
+	}

src/packet_analysis/protocol/vlan/VLAN.h

@@ -20,6 +20,11 @@ public:
 		{
 		return std::make_shared<VLANAnalyzer>();
 		}
+
+private:
+	zeek_uint_t snap_forwarding_key = 0;
+	zeek_uint_t novell_forwarding_key = 0;
+	zeek_uint_t llc_forwarding_key = 0;
 	};
 
 	}

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -69,6 +69,12 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/tcp/main.zeek
     scripts/base/packet-protocols/icmp/__load__.zeek
       scripts/base/packet-protocols/icmp/main.zeek
+    scripts/base/packet-protocols/llc/__load__.zeek
+      scripts/base/packet-protocols/llc/main.zeek
+    scripts/base/packet-protocols/novell_802_3/__load__.zeek
+      scripts/base/packet-protocols/novell_802_3/main.zeek
+    scripts/base/packet-protocols/snap/__load__.zeek
+      scripts/base/packet-protocols/snap/main.zeek
     scripts/base/packet-protocols/gre/__load__.zeek
       scripts/base/packet-protocols/gre/main.zeek
     scripts/base/packet-protocols/iptunnel/__load__.zeek

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -69,6 +69,12 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/tcp/main.zeek
     scripts/base/packet-protocols/icmp/__load__.zeek
       scripts/base/packet-protocols/icmp/main.zeek
+    scripts/base/packet-protocols/llc/__load__.zeek
+      scripts/base/packet-protocols/llc/main.zeek
+    scripts/base/packet-protocols/novell_802_3/__load__.zeek
+      scripts/base/packet-protocols/novell_802_3/main.zeek
+    scripts/base/packet-protocols/snap/__load__.zeek
+      scripts/base/packet-protocols/snap/main.zeek
     scripts/base/packet-protocols/gre/__load__.zeek
       scripts/base/packet-protocols/gre/main.zeek
     scripts/base/packet-protocols/iptunnel/__load__.zeek

testing/btest/Baseline/plugins.hooks/output

@@ -635,8 +635,11 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 1, PacketAnalyzer::ANALYZER_SNAP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 3, PacketAnalyzer::ANALYZER_LLC)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -714,14 +717,21 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 1, PacketAnalyzer::ANALYZER_SNAP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 3, PacketAnalyzer::ANALYZER_LLC)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -1117,6 +1127,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/krb, <...>/krb) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/linux_sll, <...>/linux_sll) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/linux_sll2, <...>/linux_sll2) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/llc, <...>/llc) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging, <...>/logging) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/main, <...>/main.zeek) -> -1
@@ -1129,6 +1140,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/netcontrol, <...>/netcontrol) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/nflog, <...>/nflog) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/notice, <...>/notice) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/novell_802_3, <...>/novell_802_3) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ntlm, <...>/ntlm) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ntp, <...>/ntp) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/null, <...>/null) -> -1
@@ -1159,6 +1171,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/skip, <...>/skip) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/smb, <...>/smb) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/smtp, <...>/smtp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/snap, <...>/snap) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/snmp, <...>/snmp) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/socks, <...>/socks) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/software, <...>/software) -> -1
@@ -1507,6 +1520,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/krb, <...>/krb) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/linux_sll2, <...>/linux_sll2) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/llc, <...>/llc) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging, <...>/logging) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/main, <...>/main.zeek) -> (-1, <no content>)
@@ -1519,6 +1533,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/netcontrol, <...>/netcontrol) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/nflog, <...>/nflog) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/notice, <...>/notice) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/novell_802_3, <...>/novell_802_3) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ntlm, <...>/ntlm) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ntp, <...>/ntp) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/null, <...>/null) -> (-1, <no content>)
@@ -1549,6 +1564,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/skip, <...>/skip) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/smb, <...>/smb) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/smtp, <...>/smtp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/snap, <...>/snap) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/snmp, <...>/snmp) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/socks, <...>/socks) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/software, <...>/software) -> (-1, <no content>)
@@ -2237,8 +2253,11 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 1, PacketAnalyzer::ANALYZER_SNAP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 3, PacketAnalyzer::ANALYZER_LLC))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP))
@@ -2316,14 +2335,21 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2048, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2054, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 32821, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 34525, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 1, PacketAnalyzer::ANALYZER_SNAP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 3, PacketAnalyzer::ANALYZER_LLC))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 33024, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP))
@@ -2719,6 +2745,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/krb, <...>/krb)
 0.000000   MetaHookPre   LoadFile(0, base<...>/linux_sll, <...>/linux_sll)
 0.000000   MetaHookPre   LoadFile(0, base<...>/linux_sll2, <...>/linux_sll2)
+0.000000   MetaHookPre   LoadFile(0, base<...>/llc, <...>/llc)
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/main, <...>/main.zeek)
@@ -2731,6 +2758,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/netcontrol, <...>/netcontrol)
 0.000000   MetaHookPre   LoadFile(0, base<...>/nflog, <...>/nflog)
 0.000000   MetaHookPre   LoadFile(0, base<...>/notice, <...>/notice)
+0.000000   MetaHookPre   LoadFile(0, base<...>/novell_802_3, <...>/novell_802_3)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ntlm, <...>/ntlm)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ntp, <...>/ntp)
 0.000000   MetaHookPre   LoadFile(0, base<...>/null, <...>/null)
@@ -2761,6 +2789,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/skip, <...>/skip)
 0.000000   MetaHookPre   LoadFile(0, base<...>/smb, <...>/smb)
 0.000000   MetaHookPre   LoadFile(0, base<...>/smtp, <...>/smtp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/snap, <...>/snap)
 0.000000   MetaHookPre   LoadFile(0, base<...>/snmp, <...>/snmp)
 0.000000   MetaHookPre   LoadFile(0, base<...>/socks, <...>/socks)
 0.000000   MetaHookPre   LoadFile(0, base<...>/software, <...>/software)
@@ -3109,6 +3138,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/krb, <...>/krb)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/linux_sll2, <...>/linux_sll2)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/llc, <...>/llc)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/main, <...>/main.zeek)
@@ -3121,6 +3151,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/netcontrol, <...>/netcontrol)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/nflog, <...>/nflog)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/notice, <...>/notice)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/novell_802_3, <...>/novell_802_3)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ntlm, <...>/ntlm)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ntp, <...>/ntp)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/null, <...>/null)
@@ -3151,6 +3182,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/skip, <...>/skip)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/smb, <...>/smb)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/smtp, <...>/smtp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/snap, <...>/snap)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/snmp, <...>/snmp)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/socks, <...>/socks)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/software, <...>/software)
@@ -3838,8 +3870,11 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 1, PacketAnalyzer::ANALYZER_SNAP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 3, PacketAnalyzer::ANALYZER_LLC)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP)
@@ -3917,14 +3952,21 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 2048, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 2054, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 32821, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 34525, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 1, PacketAnalyzer::ANALYZER_SNAP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 3, PacketAnalyzer::ANALYZER_LLC)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 33024, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP)
@@ -4332,6 +4374,7 @@
 0.000000 | HookLoadFile  base<...>/krb <...>/krb
 0.000000 | HookLoadFile  base<...>/linux_sll <...>/linux_sll
 0.000000 | HookLoadFile  base<...>/linux_sll2 <...>/linux_sll2
+0.000000 | HookLoadFile  base<...>/llc <...>/llc
 0.000000 | HookLoadFile  base<...>/logging <...>/logging
 0.000000 | HookLoadFile  base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFile  base<...>/main <...>/main.zeek
@@ -4344,6 +4387,7 @@
 0.000000 | HookLoadFile  base<...>/netcontrol <...>/netcontrol
 0.000000 | HookLoadFile  base<...>/nflog <...>/nflog
 0.000000 | HookLoadFile  base<...>/notice <...>/notice
+0.000000 | HookLoadFile  base<...>/novell_802_3 <...>/novell_802_3
 0.000000 | HookLoadFile  base<...>/ntlm <...>/ntlm
 0.000000 | HookLoadFile  base<...>/ntp <...>/ntp
 0.000000 | HookLoadFile  base<...>/null <...>/null
@@ -4374,6 +4418,7 @@
 0.000000 | HookLoadFile  base<...>/skip <...>/skip
 0.000000 | HookLoadFile  base<...>/smb <...>/smb
 0.000000 | HookLoadFile  base<...>/smtp <...>/smtp
+0.000000 | HookLoadFile  base<...>/snap <...>/snap
 0.000000 | HookLoadFile  base<...>/snmp <...>/snmp
 0.000000 | HookLoadFile  base<...>/socks <...>/socks
 0.000000 | HookLoadFile  base<...>/software <...>/software
@@ -4722,6 +4767,7 @@
 0.000000 | HookLoadFileExtended base<...>/krb <...>/krb
 0.000000 | HookLoadFileExtended base<...>/linux_sll <...>/linux_sll
 0.000000 | HookLoadFileExtended base<...>/linux_sll2 <...>/linux_sll2
+0.000000 | HookLoadFileExtended base<...>/llc <...>/llc
 0.000000 | HookLoadFileExtended base<...>/logging <...>/logging
 0.000000 | HookLoadFileExtended base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/main <...>/main.zeek
@@ -4734,6 +4780,7 @@
 0.000000 | HookLoadFileExtended base<...>/netcontrol <...>/netcontrol
 0.000000 | HookLoadFileExtended base<...>/nflog <...>/nflog
 0.000000 | HookLoadFileExtended base<...>/notice <...>/notice
+0.000000 | HookLoadFileExtended base<...>/novell_802_3 <...>/novell_802_3
 0.000000 | HookLoadFileExtended base<...>/ntlm <...>/ntlm
 0.000000 | HookLoadFileExtended base<...>/ntp <...>/ntp
 0.000000 | HookLoadFileExtended base<...>/null <...>/null
@@ -4764,6 +4811,7 @@
 0.000000 | HookLoadFileExtended base<...>/skip <...>/skip
 0.000000 | HookLoadFileExtended base<...>/smb <...>/smb
 0.000000 | HookLoadFileExtended base<...>/smtp <...>/smtp
+0.000000 | HookLoadFileExtended base<...>/snap <...>/snap
 0.000000 | HookLoadFileExtended base<...>/snmp <...>/snmp
 0.000000 | HookLoadFileExtended base<...>/socks <...>/socks
 0.000000 | HookLoadFileExtended base<...>/software <...>/software

testing/btest/Baseline/plugins.packet-protocol/output_build

@@ -1,7 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-PacketDemo::Bar - Demo packet analyzers (RawLayer, LLC). (dynamic, version 1.0.0)
-    [Packet Analyzer] LLC_Demo (ANALYZER_LLC_DEMO, enabled)
+PacketDemo::Bar - Demo packet analyzers (RawLayer). (dynamic, version 1.0.0)
     [Packet Analyzer] Raw_Layer (ANALYZER_RAW_LAYER, enabled)
     [Event] raw_layer_message
-    [Event] llc_demo_message
 

testing/btest/Baseline/plugins.packet-protocol/output_llc

@@ -1,5 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
-llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
-llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
-llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)

testing/btest/Baseline/scripts.base.files.x509.files/files.log

@@ -7,10 +7,10 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256
 #types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string
-XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
-XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.snap.snap-arp/.stdout

@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+c2:3d:19:6c:00:01, ff:ff:ff:ff:ff:ff, 10.0.0.1, c2:3d:19:6c:00:01, 10.0.0.2, 00:00:00:00:00:00
+c2:3d:19:6c:00:01, ff:ff:ff:ff:ff:ff, 10.0.0.1, c2:3d:19:6c:00:01, 10.0.0.2, 00:00:00:00:00:00
+c2:3c:19:6c:00:01, c2:3d:19:6c:00:01, 10.0.0.2, c2:3c:19:6c:00:01, 10.0.0.1, c2:3d:19:6c:00:01
+c2:3c:19:6c:00:01, c2:3d:19:6c:00:01, 10.0.0.2, c2:3c:19:6c:00:01, 10.0.0.1, c2:3d:19:6c:00:01

testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log

@@ -189,7 +189,6 @@ XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_hash
-XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX x509_certificate
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
@@ -202,13 +201,13 @@ XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_ext_subject_alternative_name
+XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_state_remove
 XXXXXXXXXX.XXXXXX file_new
 XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_hash
-XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX x509_certificate
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
@@ -218,6 +217,7 @@ XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_state_remove
 XXXXXXXXXX.XXXXXX ssl_handshake_message
 XXXXXXXXXX.XXXXXX ssl_handshake_message

testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt

@@ -14,6 +14,5 @@ include(ZeekPlugin)
 zeek_plugin_begin(PacketDemo Bar)
 zeek_plugin_cc(src/Plugin.cc)
 zeek_plugin_cc(src/RawLayer.cc)
-zeek_plugin_cc(src/LLCDemo.cc)
 zeek_plugin_bif(src/events.bif)
 zeek_plugin_end()

testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek

@@ -1,2 +1 @@
 @load PacketDemo/RawLayer/base/main
-@load PacketDemo/LLCDemo/base/main

testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc

@@ -1,30 +0,0 @@
-#include "LLCDemo.h"
-
-#include "zeek/Event.h"
-#include "zeek/Val.h"
-#include "zeek/session/Manager.h"
-
-#include "events.bif.h"
-
-using namespace zeek::packet_analysis::PacketDemo;
-
-LLCDemo::LLCDemo() : zeek::packet_analysis::Analyzer("LLC_Demo") { }
-
-bool LLCDemo::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
-	{
-	// Rudimentary parsing of 802.2 LLC
-	if ( 17 >= len )
-		{
-		session_mgr->Weird("truncated_llc_header", packet);
-		return false;
-		}
-
-	auto dsap = data[14];
-	auto ssap = data[15];
-	auto control = data[16];
-
-	event_mgr.Enqueue(llc_demo_message, val_mgr->Count(dsap), val_mgr->Count(ssap),
-	                  val_mgr->Count(control));
-
-	return true;
-	}

testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h

@@ -1,20 +0,0 @@
-#pragma once
-
-#include "zeek/packet_analysis/Analyzer.h"
-#include "zeek/packet_analysis/Component.h"
-
-namespace zeek::packet_analysis::PacketDemo
-	{
-
-class LLCDemo : public Analyzer
-	{
-public:
-	LLCDemo();
-	~LLCDemo() override = default;
-
-	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
-
-	static AnalyzerPtr Instantiate() { return std::make_shared<LLCDemo>(); }
-	};
-
-	}

testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc

@@ -1,6 +1,5 @@
 #include "Plugin.h"
 
-#include "LLCDemo.h"
 #include "RawLayer.h"
 #include "packet_analysis/Component.h"
 
@@ -14,12 +13,10 @@ public:
 		{
 		AddComponent(new zeek::packet_analysis::Component(
 			"Raw_Layer", zeek::packet_analysis::PacketDemo::RawLayer::Instantiate));
-		AddComponent(new zeek::packet_analysis::Component(
-			"LLC_Demo", zeek::packet_analysis::PacketDemo::LLCDemo::Instantiate));
 
 		zeek::plugin::Configuration config;
 		config.name = "PacketDemo::Bar";
-		config.description = "Demo packet analyzers (RawLayer, LLC).";
+		config.description = "Demo packet analyzers (RawLayer).";
 		config.version.major = 1;
 		config.version.minor = 0;
 		config.version.patch = 0;

testing/btest/plugins/packet-protocol-plugin/src/events.bif

@@ -1,3 +1,2 @@
 
 event raw_layer_message%(message: string, protocol: count%);
-event llc_demo_message%(dsap: count, ssap: count, control: count%);

testing/btest/plugins/packet-protocol.zeek

@@ -16,9 +16,6 @@
 # @TEST-EXEC: test ! -e unknown_protocols.log
 # @TEST-EXEC: btest-diff output_raw
 # @TEST-EXEC: rm -f *.log
-#
-# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/raw_packets.trace %INPUT > output_llc
-# @TEST-EXEC: btest-diff output_llc
 
 @load policy/misc/unknown-protocols
 

testing/btest/scripts/base/protocols/snap/snap-arp.test

@@ -0,0 +1,12 @@
+# @TEST-EXEC: zeek -b -r $TRACES/snap-arp.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}