PPP: Add PPP analyzer to handle LINKTYPE_PPP (0x9)

Using pcaps from https://interop.seemann.io/ as samples for QUIC protocol data didn't produce a conn.log for the contained data. `tcpdump -r` and Wireshark do show the contained IP/UDP packets. Teach Zeek how to handle link type DLT_PPP 0x09 using a new PPP analyzer based on the PPPSerial analyzer code. Usual update to files/x509 baseline after adding new analyzer due to enum values changing.
2025-10-02 06:38:20 +00:00 · 2023-08-23 13:33:01 +02:00 · 2023-08-23 13:33:01 +02:00 · ee12a7a6e7
commit ee12a7a6e7
parent e8292be0ce
19 changed files with 319 additions and 172 deletions
--- a/scripts/base/packet-protocols/load.zeek
+++ b/scripts/base/packet-protocols/load.zeek
@ -11,6 +11,7 @@
@load base/packet-protocols/linux_sll2
@load base/packet-protocols/nflog
@load base/packet-protocols/null
+@load base/packet-protocols/ppp
@load base/packet-protocols/ppp_serial
@load base/packet-protocols/pppoe
@load base/packet-protocols/vlan
--- a/scripts/base/packet-protocols/ppp/load.zeek
+++ b/scripts/base/packet-protocols/ppp/load.zeek
@ -0,0 +1 @@
+@load ./main
--- a/scripts/base/packet-protocols/ppp/main.zeek
+++ b/scripts/base/packet-protocols/ppp/main.zeek
@ -0,0 +1,12 @@
+module PacketAnalyzer::PPP;
+
+const DLT_PPP: count = 9;
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_PPP, PacketAnalyzer::ANALYZER_PPP);
+
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPP, 0x0281, PacketAnalyzer::ANALYZER_MPLS);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPP, 0x0021, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPP, 0x0057, PacketAnalyzer::ANALYZER_IP);
+	}
--- a/scripts/base/packet-protocols/ppp_serial/main.zeek
+++ b/scripts/base/packet-protocols/ppp_serial/main.zeek
@ -9,4 +9,4 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPSERIAL, 0x0281, PacketAnalyzer::ANALYZER_MPLS);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPSERIAL, 0x0021, PacketAnalyzer::ANALYZER_IP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPSERIAL, 0x0057, PacketAnalyzer::ANALYZER_IP);
-	}
+	}
--- a/src/packet_analysis/protocol/CMakeLists.txt
+++ b/src/packet_analysis/protocol/CMakeLists.txt
@ -4,6 +4,7 @@ add_subdirectory(skip)
 add_subdirectory(null)
 add_subdirectory(ethernet)
 add_subdirectory(vlan)
+add_subdirectory(ppp)
 add_subdirectory(pppoe)
 add_subdirectory(ppp_serial)
 add_subdirectory(ieee802_11)
--- a/src/packet_analysis/protocol/ppp/CMakeLists.txt
+++ b/src/packet_analysis/protocol/ppp/CMakeLists.txt
@ -0,0 +1 @@
+zeek_add_plugin(PacketAnalyzer PPP SOURCES PPP.cc Plugin.cc)
--- a/src/packet_analysis/protocol/ppp/PPP.cc
+++ b/src/packet_analysis/protocol/ppp/PPP.cc
@ -0,0 +1,40 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/ppp/PPP.h"
+
+using namespace zeek::packet_analysis::PPP;
+
+PPPAnalyzer::PPPAnalyzer() : zeek::packet_analysis::Analyzer("PPP") { }
+
+bool PPPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// Analyzer is meant to handle DLT_PPP.
+	//
+	// From https://www.tcpdump.org/linktypes.html for LINKTYPE_PPP (0x9):
+	//
+	//   PPP, as per RFC 1661 and RFC 1662; if the first 2 bytes are 0xff and 0x03,
+	//   it's PPP in HDLC-like framing, with the PPP header following those two bytes,
+	//   otherwise it's PPP without framing, and the packet begins with the PPP header.
+	//   The data in the frame is not octet-stuffed or bit-stuffed.
+	if ( 2 >= len )
+		{
+		Weird("truncated_ppp_header", packet);
+		return false;
+		}
+
+	if ( data[0] == 0xff && data[1] == 0x03 )
+		{
+		// HDLC-Framing
+		if ( 4 >= len )
+			{
+			Weird("truncated_ppp_hdlc_header", packet);
+			return false;
+			}
+
+		uint32_t protocol = (data[2] << 8) + data[3];
+		return ForwardPacket(len - 4, data + 4, packet, protocol);
+		}
+
+	uint32_t protocol = (data[0] << 8) + data[1];
+	return ForwardPacket(len - 2, data + 2, packet, protocol);
+	}
--- a/src/packet_analysis/protocol/ppp/PPP.h
+++ b/src/packet_analysis/protocol/ppp/PPP.h
@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::PPP
+	{
+
+class PPPAnalyzer : public Analyzer
+	{
+public:
+	PPPAnalyzer();
+	~PPPAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<PPPAnalyzer>();
+		}
+	};
+
+	}
--- a/src/packet_analysis/protocol/ppp/Plugin.cc
+++ b/src/packet_analysis/protocol/ppp/Plugin.cc
@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/ppp/PPP.h"
+
+namespace zeek::plugin::Zeek_PPP
+	{
+
+class Plugin final : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure() override
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"PPP", zeek::packet_analysis::PPP::PPPAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::PPP";
+		config.description = "PPP packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}
--- a/testing/btest/Baseline/core.ppp/conn.log
+++ b/testing/btest/Baseline/core.ppp/conn.log
@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+0.000000	CHhAvVGS1DHFjwGM9	::	135	ff02::1:ff00:3	136	icmp	-	0.008000	48	0	OTH	T	F	0	-	2	144	0	0	-
+0.016059	ClEkJM2Vm5giqnMf4h	::	135	ff02::1:ff00:4	136	icmp	-	0.002000	48	0	OTH	T	F	0	-	2	144	0	0	-
+0.669020	C4J4Th3PJpwUYZZ6gc	193.167.0.100	42834	193.167.100.100	443	udp	-	0.112400	4039	11996	SF	F	F	0	Dd	10	4319	12	12332	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@ -51,6 +51,8 @@ scripts/base/init-bare.zeek
      scripts/base/packet-protocols/nflog/main.zeek
    scripts/base/packet-protocols/null/__load__.zeek
      scripts/base/packet-protocols/null/main.zeek
+    scripts/base/packet-protocols/ppp/__load__.zeek
+      scripts/base/packet-protocols/ppp/main.zeek
    scripts/base/packet-protocols/ppp_serial/__load__.zeek
      scripts/base/packet-protocols/ppp_serial/main.zeek
    scripts/base/packet-protocols/pppoe/__load__.zeek
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@ -51,6 +51,8 @@ scripts/base/init-bare.zeek
      scripts/base/packet-protocols/nflog/main.zeek
    scripts/base/packet-protocols/null/__load__.zeek
      scripts/base/packet-protocols/null/main.zeek
+    scripts/base/packet-protocols/ppp/__load__.zeek
+      scripts/base/packet-protocols/ppp/main.zeek
    scripts/base/packet-protocols/ppp_serial/__load__.zeek
      scripts/base/packet-protocols/ppp_serial/main.zeek
    scripts/base/packet-protocols/pppoe/__load__.zeek
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -711,6 +711,9 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 24, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 28, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 30, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPP, 33, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPP, 641, PacketAnalyzer::ANALYZER_MPLS)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPP, 87, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPOE, 33, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPOE, 87, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPSERIAL, 33, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@ -725,6 +728,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 9, PacketAnalyzer::ANALYZER_PPP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@ -1159,6 +1163,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/pe, <...>/pe) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/plugins, <...>/plugins) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/pop3, <...>/pop3) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/ppp, <...>/ppp) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ppp_serial, <...>/ppp_serial) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/pppoe, <...>/pppoe) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/queue, <...>/queue.zeek) -> -1
@ -1549,6 +1554,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/pe, <...>/pe) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/plugins, <...>/plugins) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/pop3, <...>/pop3) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ppp, <...>/ppp) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ppp_serial, <...>/ppp_serial) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/pppoe, <...>/pppoe) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/queue, <...>/queue.zeek) -> (-1, <no content>)
@ -2331,6 +2337,9 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 24, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 28, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 30, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPP, 33, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPP, 641, PacketAnalyzer::ANALYZER_MPLS))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPP, 87, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPOE, 33, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPOE, 87, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPSERIAL, 33, PacketAnalyzer::ANALYZER_IP))
@ -2345,6 +2354,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 9, PacketAnalyzer::ANALYZER_PPP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 32821, PacketAnalyzer::ANALYZER_ARP))
@ -2779,6 +2789,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/pe, <...>/pe)
 0.000000   MetaHookPre   LoadFile(0, base<...>/plugins, <...>/plugins)
 0.000000   MetaHookPre   LoadFile(0, base<...>/pop3, <...>/pop3)
+0.000000   MetaHookPre   LoadFile(0, base<...>/ppp, <...>/ppp)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ppp_serial, <...>/ppp_serial)
 0.000000   MetaHookPre   LoadFile(0, base<...>/pppoe, <...>/pppoe)
 0.000000   MetaHookPre   LoadFile(0, base<...>/queue, <...>/queue.zeek)
@ -3169,6 +3180,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/pe, <...>/pe)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/plugins, <...>/plugins)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/pop3, <...>/pop3)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ppp, <...>/ppp)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ppp_serial, <...>/ppp_serial)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/pppoe, <...>/pppoe)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/queue, <...>/queue.zeek)
@ -3950,6 +3962,9 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 24, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 28, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 30, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPP, 33, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPP, 641, PacketAnalyzer::ANALYZER_MPLS)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPP, 87, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPOE, 33, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPOE, 87, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPSERIAL, 33, PacketAnalyzer::ANALYZER_IP)
@ -3964,6 +3979,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 9, PacketAnalyzer::ANALYZER_PPP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 32821, PacketAnalyzer::ANALYZER_ARP)
@ -4410,6 +4426,7 @@
 0.000000 | HookLoadFile  base<...>/pe <...>/pe
 0.000000 | HookLoadFile  base<...>/plugins <...>/plugins
 0.000000 | HookLoadFile  base<...>/pop3 <...>/pop3
+0.000000 | HookLoadFile  base<...>/ppp <...>/ppp
 0.000000 | HookLoadFile  base<...>/ppp_serial <...>/ppp_serial
 0.000000 | HookLoadFile  base<...>/pppoe <...>/pppoe
 0.000000 | HookLoadFile  base<...>/queue <...>/queue.zeek
@ -4800,6 +4817,7 @@
 0.000000 | HookLoadFileExtended base<...>/pe <...>/pe
 0.000000 | HookLoadFileExtended base<...>/plugins <...>/plugins
 0.000000 | HookLoadFileExtended base<...>/pop3 <...>/pop3
+0.000000 | HookLoadFileExtended base<...>/ppp <...>/ppp
 0.000000 | HookLoadFileExtended base<...>/ppp_serial <...>/ppp_serial
 0.000000 | HookLoadFileExtended base<...>/pppoe <...>/pppoe
 0.000000 | HookLoadFileExtended base<...>/queue <...>/queue.zeek
--- a/testing/btest/Baseline/scripts.base.files.x509.files/files.log
+++ b/testing/btest/Baseline/scripts.base.files.x509.files/files.log
@ -7,10 +7,10 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256
 #types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string
-XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
-XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@ -180,7 +180,6 @@ XXXXXXXXXX.XXXXXX file_new
 XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_hash
-XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX x509_certificate
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
@ -194,12 +193,12 @@ XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_ext_subject_alternative_name
 XXXXXXXXXX.XXXXXX file_hash
+XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_state_remove
 XXXXXXXXXX.XXXXXX file_new
 XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_hash
-XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX x509_certificate
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
@ -210,6 +209,7 @@ XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX file_hash
+XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_state_remove
 XXXXXXXXXX.XXXXXX ssl_handshake_message
 XXXXXXXXXX.XXXXXX ssl_handshake_message
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
--- a/testing/btest/Traces/ppp/quic-interop-retry.pcap
+++ b/testing/btest/Traces/ppp/quic-interop-retry.pcap
--- a/testing/btest/core/ppp.test
+++ b/testing/btest/core/ppp.test
@ -0,0 +1,4 @@
+# @TEST-DOC: PCAP from https://interop.seemann.io/ with DLT_PPP linklayer and no HDLC framing.
+#
+# @TEST-EXEC: zeek -r $TRACES/ppp/quic-interop-retry.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
				`@ -0,0 +1 @@`
				`zeek_add_plugin(PacketAnalyzer PPP SOURCES PPP.cc Plugin.cc)`