Store some additional information in the packet during processing

- Session related to the packet
- is_orig information if a UDP header was found
This commit is contained in:
Tim Wojtulewicz 2021-08-26 10:16:48 -07:00
parent 5f58ce8a5d
commit f93c5a6942
5 changed files with 30 additions and 5 deletions

View file

@ -18,6 +18,7 @@ using pkt_timeval = struct timeval;
#include "zeek/IP.h" #include "zeek/IP.h"
#include "zeek/NetVar.h" // For BifEnum::Tunnel #include "zeek/NetVar.h" // For BifEnum::Tunnel
#include "zeek/TunnelEncapsulation.h" #include "zeek/TunnelEncapsulation.h"
#include "zeek/session/Session.h"
namespace zeek namespace zeek
{ {
@ -172,29 +173,35 @@ public:
/** /**
* (Outermost) VLAN tag if any, else 0. * (Outermost) VLAN tag if any, else 0.
*/ */
uint32_t vlan; uint32_t vlan = 0;
/** /**
* (Innermost) VLAN tag if any, else 0. * (Innermost) VLAN tag if any, else 0.
*/ */
uint32_t inner_vlan; uint32_t inner_vlan = 0;
/**
* If this packet is related to a connection, this flag denotes whether
* this packet is from the originator of the connection.
*/
bool is_orig = false;
/** /**
* Indicates whether the layer 2 checksum was validated by the * Indicates whether the layer 2 checksum was validated by the
* hardware/kernel before being received by zeek. * hardware/kernel before being received by zeek.
*/ */
bool l2_checksummed; bool l2_checksummed = false;
/** /**
* Indicates whether the layer 3 checksum was validated by the * Indicates whether the layer 3 checksum was validated by the
* hardware/kernel before being received by zeek. * hardware/kernel before being received by zeek.
*/ */
bool l3_checksummed; bool l3_checksummed = false;
/** /**
* Indicates whether this packet should be recorded. * Indicates whether this packet should be recorded.
*/ */
mutable bool dump_packet; mutable bool dump_packet = false;
/** /**
* Indicates the amount of data to be dumped. If only a header is needed, * Indicates the amount of data to be dumped. If only a header is needed,
@ -255,6 +262,11 @@ public:
*/ */
bool processed = false; bool processed = false;
/**
* The session related to this packet, if one exists.
*/
session::Session* session = nullptr;
private: private:
// Renders an MAC address into its ASCII representation. // Renders an MAC address into its ASCII representation.
ValPtr FmtEUI48(const u_char* mac) const; ValPtr FmtEUI48(const u_char* mac) const;

View file

@ -121,6 +121,10 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
return; return;
} }
// Store the session in the packet in case we get an encapsulation here. We need it for
// handling those properly.
pkt->session = c;
ForwardPacket(len, data, pkt); ForwardPacket(len, data, pkt);
if ( remaining >= len ) if ( remaining >= len )

View file

@ -68,6 +68,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
pkt->processed = true; pkt->processed = true;
bool is_orig = (tuple.src_addr == conn->OrigAddr()) && (tuple.src_port == conn->OrigPort()); bool is_orig = (tuple.src_addr == conn->OrigAddr()) && (tuple.src_port == conn->OrigPort());
pkt->is_orig = is_orig;
conn->CheckFlowLabel(is_orig, ip_hdr->FlowLabel()); conn->CheckFlowLabel(is_orig, ip_hdr->FlowLabel());

View file

@ -120,6 +120,10 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
adapter->Process(is_orig, tp, len, ip, data, remaining); adapter->Process(is_orig, tp, len, ip, data, remaining);
// Store the session in the packet in case we get an encapsulation here. We need it for
// handling those properly.
pkt->session = c;
// Send the packet back into the packet analysis framework. // Send the packet back into the packet analysis framework.
ForwardPacket(len, data, pkt); ForwardPacket(len, data, pkt);

View file

@ -211,6 +211,10 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
adapter->Event(udp_reply); adapter->Event(udp_reply);
} }
// Store the session in the packet in case we get an encapsulation here. We need it for
// handling those properly.
pkt->session = c;
// Send the packet back into the packet analysis framework. We only check the response // Send the packet back into the packet analysis framework. We only check the response
// port here because the orig/resp should have already swapped around based on // port here because the orig/resp should have already swapped around based on
// likely_server_ports. This also prevents us from processing things twice if protocol // likely_server_ports. This also prevents us from processing things twice if protocol