mirror of
https://github.com/zeek/zeek.git
synced 2025-10-14 12:38:20 +00:00
GH-1620: Add event and plugin hook to track packets not processed
This commit is contained in:
Tim Wojtulewicz
parent
8fece3d8ea
commit
fe932944c4
16 changed files with 194 additions and 25 deletions
|
|
@ -68,6 +68,8 @@ void Packet::Init(int arg_link_type, pkt_timeval* arg_ts, uint32_t arg_caplen, u
|
|||
tunnel_type = BifEnum::Tunnel::IP;
|
||||
gre_version = -1;
|
||||
gre_link_type = DLT_RAW;
|
||||
|
||||
processed = false;
|
||||
}
|
||||
|
||||
Packet::~Packet()
|
||||
|
|
@ -146,6 +148,33 @@ RecordValPtr Packet::ToRawPktHdrVal() const
|
|||
return pkt_hdr;
|
||||
}
|
||||
|
||||
RecordValPtr Packet::ToVal(const Packet* p)
|
||||
{
|
||||
static auto pcap_packet = zeek::id::find_type<zeek::RecordType>("pcap_packet");
|
||||
auto val = zeek::make_intrusive<zeek::RecordVal>(pcap_packet);
|
||||
|
||||
if ( p )
|
||||
{
|
||||
val->Assign(0, static_cast<uint32_t>(p->ts.tv_sec));
|
||||
val->Assign(1, static_cast<uint32_t>(p->ts.tv_usec));
|
||||
val->Assign(2, p->cap_len);
|
||||
val->Assign(3, p->len);
|
||||
val->Assign(4, zeek::make_intrusive<zeek::StringVal>(p->cap_len, (const char*)p->data));
|
||||
val->Assign(5, zeek::BifType::Enum::link_encap->GetEnumVal(p->link_type));
|
||||
}
|
||||
else
|
||||
{
|
||||
val->Assign(0, 0);
|
||||
val->Assign(1, 0);
|
||||
val->Assign(2, 0);
|
||||
val->Assign(3, 0);
|
||||
val->Assign(4, zeek::val_mgr->EmptyString());
|
||||
val->Assign(5, zeek::BifType::Enum::link_encap->GetEnumVal(BifEnum::LINK_UNKNOWN));
|
||||
}
|
||||
|
||||
return val;
|
||||
}
|
||||
|
||||
ValPtr Packet::FmtEUI48(const u_char* mac) const
|
||||
{
|
||||
char buf[20];
|
||||
|
|
|
|||
|
|
@ -122,6 +122,12 @@ public:
|
|||
*/
|
||||
RecordValPtr ToRawPktHdrVal() const;
|
||||
|
||||
/**
|
||||
* Returns a RecordVal that represents the Packet. This is used
|
||||
* by the get_current_packet bif.
|
||||
*/
|
||||
static RecordValPtr ToVal(const Packet* p);
|
||||
|
||||
/**
|
||||
* Maximal length of a layer 2 address.
|
||||
*/
|
||||
|
|
@ -241,6 +247,14 @@ public:
|
|||
*/
|
||||
int gre_link_type = DLT_RAW;
|
||||
|
||||
/**
|
||||
* This flag indicates whether a packet has been processed. This can
|
||||
* mean different things depending on the traffic, but generally it
|
||||
* means that a packet has been logged in some way. We default to
|
||||
* false, and this can be set to true for any number of reasons.
|
||||
*/
|
||||
bool processed = false;
|
||||
|
||||
private:
|
||||
// Renders an MAC address into its ASCII representation.
|
||||
ValPtr FmtEUI48(const u_char* mac) const;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue