PPPoE: add session id logging

This adds a new PacketAnalyzer::PPPoE::session_id bif, which extracts the PPPoE session ID from the current packet. Furthermore, a new policy script is added which adds the pppoe session id to the connection log. Related to GH-4602
2025-10-01 22:28:20 +00:00 · 2025-07-02 17:14:18 +01:00 · 2025-07-02 17:14:18 +01:00 · e5a434c392
commit e5a434c392
parent 55cdb707e9
10 changed files with 72 additions and 2 deletions
--- a/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek
+++ b/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek
@ -0,0 +1,27 @@
+##! This script adds PPPoE session ID information to the connection log.
+
+@load base/protocols/conn
+
+module Conn;
+
+redef record Info += {
+	## The PPPoE session id, if applicable for this connection.
+	pppoe_session_id: count &log &optional;
+};
+
+# Add the PPPoE session ID to the Conn::Info structure. We have to do this right
+# at the beginning, while we are handling a packet.
+event new_connection(c: connection)
+	{
+	local session_id = PacketAnalyzer::PPPoE::session_id();
+
+	# no session ID
+	if ( session_id == 0xFFFFFFFF )
+		return;
+
+	# FIXME: remove when GH-4688 is merged
+	set_conn(c, F);
+
+	c$conn$pppoe_session_id = session_id;
+	}
+
--- a/scripts/test-all-policy.zeek
+++ b/scripts/test-all-policy.zeek
@ -113,6 +113,7 @@
@load protocols/conn/known-services.zeek
@load protocols/conn/mac-logging.zeek
@load protocols/conn/vlan-logging.zeek
+@load protocols/conn/pppoe-session-id-logging.zeek
@load protocols/conn/weirds.zeek
 #@load frameworks/conn_key/vlan_fivetuple.zeek
 #@load protocols/conn/speculative-service.zeek