Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

PPP: Add PPP analyzer to handle LINKTYPE_PPP (0x9)

Browse source 
Using pcaps from https://interop.seemann.io/ as samples for QUIC protocol
data didn't produce a conn.log for the contained data. `tcpdump -r`
and Wireshark do show the contained IP/UDP packets. Teach Zeek how
to handle link type DLT_PPP 0x09 using a new PPP analyzer based on the
PPPSerial analyzer code.

Usual update to files/x509 baseline after adding new analyzer due
to enum values changing.
This commit is contained in:
Arne Welzel 2023-08-23 13:33:01 +02:00
parent e8292be0ce
commit ee12a7a6e7
19 changed files with 319 additions and 172 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/packet-protocols/ppp/__load__.zeek Normal file
View file

@ -0,0 +1 @@
@load ./main

12
scripts/base/packet-protocols/ppp/main.zeek Normal file
View file

@ -0,0 +1,12 @@
module PacketAnalyzer::PPP;
const DLT_PPP: count = 9;
event zeek_init() &priority=20
{
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_PPP, PacketAnalyzer::ANALYZER_PPP);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPP, 0x0281, PacketAnalyzer::ANALYZER_MPLS);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPP, 0x0021, PacketAnalyzer::ANALYZER_IP);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPP, 0x0057, PacketAnalyzer::ANALYZER_IP);
}