Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

tcp,udp,icmp adapters: Move TapPacket() to earlier

Browse source 
Writing a test, the packet was tapped after protocol analysis at least
for TCP. Ensure tapping happens before. The adapter->Process() moving
after pkt->session made me a bit wondering if things are underspecified
here, but seems reasonable to set the session on pkt before adapter->Process().

Relates to #4337 #4725 #4734 #4737
This commit is contained in:
Arne Welzel 2025-08-06 16:14:37 +02:00
parent 9d7cfcbce3
commit ee93213d39
3 changed files with 11 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/packet_analysis/protocol/icmp/ICMP.cc
View file

@ -112,11 +112,11 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
// handling those properly.
pkt->session = c;
ForwardPacket(std::min(len, remaining), data, pkt);
// Tap the packet before sending it to protocol analysis.
// Tap the packet before processing/forwarding.
adapter->TapPacket(pkt);
ForwardPacket(std::min(len, remaining), data, pkt);
if ( remaining >= len )
adapter->ForwardPacket(len, data, is_orig, -1, ip.get(), remaining);

10
src/packet_analysis/protocol/tcp/TCP.cc
View file

@ -103,18 +103,18 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
return;
}
adapter->Process(is_orig, tp, len, ip, data, remaining);
// Store the session in the packet in case we get an encapsulation here. We need it for
// handling those properly.
pkt->session = c;
// Tap the packet before processing/forwarding.
adapter->TapPacket(pkt);
adapter->Process(is_orig, tp, len, ip, data, remaining);
// Send the packet back into the packet analysis framework.
ForwardPacket(std::min(len, remaining), data, pkt);
// Tap the packet before sending it to session analysis.
adapter->TapPacket(pkt);
// Call DeliverPacket on the adapter directly here. Normally we'd call ForwardPacket
// but this adapter does some other things in its DeliverPacket with the packet children
// analyzers.

6
src/packet_analysis/protocol/udp/UDP.cc
View file

@ -190,15 +190,15 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
// handling those properly.
pkt->session = c;
// Tap the packet before processing/forwarding.
adapter->TapPacket(pkt);
// Send the packet back into the packet analysis framework. We only check the response
// port here because the orig/resp should have already swapped around based on
// likely_server_ports. This also prevents us from processing things twice if protocol
// detection has to be used.
ForwardPacket(std::min(len, remaining), data, pkt, ntohs(c->RespPort()));
// Tap the packet before sending it to session analysis.
adapter->TapPacket(pkt);
// Forward any data through session-analysis, too.
adapter->ForwardPacket(std::min(len, remaining), data, is_orig, -1, ip.get(), pkt->cap_len);
}