GH-1389: Skip VN-Tag headers

2025-10-06 16:48:19 +00:00 · 2021-02-01 14:18:24 -07:00 · 2021-02-01 14:18:24 -07:00 · f53448ccc9
commit f53448ccc9
parent dacdf5424b
15 changed files with 126 additions and 0 deletions
--- a/src/packet_analysis/protocol/CMakeLists.txt
+++ b/src/packet_analysis/protocol/CMakeLists.txt
@ -17,3 +17,4 @@ add_subdirectory(arp)
 add_subdirectory(ip)
 add_subdirectory(gre)
 add_subdirectory(iptunnel)
+add_subdirectory(vntag)
--- a/src/packet_analysis/protocol/vntag/CMakeLists.txt
+++ b/src/packet_analysis/protocol/vntag/CMakeLists.txt
@ -0,0 +1,8 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(PacketAnalyzer VNTag)
+zeek_plugin_cc(VNTag.cc Plugin.cc)
+zeek_plugin_end()
--- a/src/packet_analysis/protocol/vntag/Plugin.cc
+++ b/src/packet_analysis/protocol/vntag/Plugin.cc
@ -0,0 +1,24 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/vntag/VNTag.h"
+
+namespace zeek::plugin::Zeek_VNTag {
+
+class Plugin : public zeek::plugin::Plugin {
+public:
+    zeek::plugin::Configuration Configure()
+        {
+        AddComponent(new zeek::packet_analysis::Component("VNTag",
+                         zeek::packet_analysis::VNTag::VNTagAnalyzer::Instantiate));
+
+        zeek::plugin::Configuration config;
+        config.name = "Zeek::VNTag";
+        config.description = "VNTag packet analyzer";
+        return config;
+        }
+
+} plugin;
+
+}
--- a/src/packet_analysis/protocol/vntag/VNTag.cc
+++ b/src/packet_analysis/protocol/vntag/VNTag.cc
@ -0,0 +1,23 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/vntag/VNTag.h"
+
+using namespace zeek::packet_analysis::VNTag;
+
+VNTagAnalyzer::VNTagAnalyzer()
+	: zeek::packet_analysis::Analyzer("VNTag")
+	{
+	}
+
+bool VNTagAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	if ( 6 >= len )
+		{
+		Weird("truncated_vntag_header", packet);
+		return false;
+		}
+
+	uint32_t protocol = ((data[4] << 8u) + data[5]);
+	// Skip the VNTag header
+	return ForwardPacket(len - 6, data + 6, packet, protocol);
+	}
--- a/src/packet_analysis/protocol/vntag/VNTag.h
+++ b/src/packet_analysis/protocol/vntag/VNTag.h
@ -0,0 +1,23 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::VNTag {
+
+class VNTagAnalyzer : public Analyzer {
+public:
+	VNTagAnalyzer();
+	~VNTagAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<VNTagAnalyzer>();
+		}
+};
+
+}