Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 09:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Add handling for IPv6 extension header chains (addresses #531)

Browse source 
- The script-layer 'pkt_hdr' type is extended with a new 'ip6' field
  representing the full IPv6 header chain.

- The 'new_packet' event is now raised for IPv6 packets (addresses #523)

- A new event called 'ipv6_ext_header' is raised for any IPv6 packet
  containing extension headers.

- A new event called 'esp_packet' is raised for any packets using ESP
  ('new_packet' and 'ipv6_ext_header' events provide connection info,
  but that info can't be provided here since the upper-layer payload
  is encrypted).

- The 'unknown_protocol' weird is now raised more reliably when Bro
  sees a transport protocol or IPv6 extension header it can't handle.
  (addresses #522)

Still need to do IPv6 fragment reassembly and needs more testing.
This commit is contained in:
Jon Siwek 2012-03-02 20:01:01 -06:00
parent 0639487aad
commit eb9f686bb2
11 changed files with 724 additions and 110 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/TCP.cc
View file

@ -1203,7 +1203,7 @@ RecordVal* TCP_Analyzer::BuildOSVal(int is_orig, const IP_Hdr* ip,
if ( ip->HdrLen() > 20 )
quirks |= QUIRK_IPOPT;
if ( ip->IP_ID() == 0 )
if ( ip->ID() == 0 )
quirks |= QUIRK_ZEROID;
if ( tcp->th_seq == 0 )
@ -1942,11 +1942,11 @@ int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
{
if ( ++num_pkts == 1 )
{ // First packet.
last_id = ntohs(ip->ID4());
last_id = ip->ID();
return 0;
}
int id = ntohs(ip->ID4());
int id = ip->ID();
if ( id == last_id )
{