GH-1620: Add event and plugin hook to track packets not processed

2025-10-09 01:58:20 +00:00 · 2021-11-04 14:59:16 -07:00 · 2021-11-04 14:59:16 -07:00 · fe932944c4
commit fe932944c4
parent 8fece3d8ea
16 changed files with 194 additions and 25 deletions
--- a/src/packet_analysis/Manager.cc
+++ b/src/packet_analysis/Manager.cc
@ -7,6 +7,7 @@
 #include "zeek/iosource/PktDumper.h"
 #include "zeek/packet_analysis/Analyzer.h"
 #include "zeek/packet_analysis/Dispatcher.h"
+#include "zeek/plugin/Manager.h"
 #include "zeek/zeek-bif.h"

 using namespace zeek::packet_analysis;
@ -106,6 +107,16 @@ void Manager::ProcessPacket(Packet* packet)
 	// Start packet analysis
 	root_analyzer->ForwardPacket(packet->cap_len, packet->data, packet, packet->link_type);

+	if ( ! packet->processed )
+		{
+		if ( packet_not_processed )
+			event_mgr.Enqueue(packet_not_processed, Packet::ToVal(packet));
+
+		plugin_mgr->HookUnprocessedPacket(packet);
+
+		total_not_processed++;
+		}
+
 	if ( raw_packet )
 		event_mgr.Enqueue(raw_packet, packet->ToRawPktHdrVal());

--- a/src/packet_analysis/Manager.h
+++ b/src/packet_analysis/Manager.h
@ -2,6 +2,7 @@

 #pragma once

+#include "zeek/Func.h"
 #include "zeek/PacketFilter.h"
 #include "zeek/iosource/Packet.h"
 #include "zeek/packet_analysis/Component.h"
@ -126,6 +127,12 @@ public:
 		return pkt_filter;
 		}

+	/**
+	 * Returns the total number of packets received that weren't considered
+	 * processed by some analyzer.
+	 */
+	uint64_t GetUnprocessedCount() const { return total_not_processed; }
+
 private:
 	/**
 	 * Instantiates a new analyzer instance.
@ -163,6 +170,8 @@ private:
 	uint64_t unknown_sampling_rate = 0;
 	double unknown_sampling_duration = 0;
 	uint64_t unknown_first_bytes_count = 0;
+
+	uint64_t total_not_processed = 0;
 	};

 	} // namespace packet_analysis
--- a/src/packet_analysis/protocol/arp/ARP.cc
+++ b/src/packet_analysis/protocol/arp/ARP.cc
@ -101,6 +101,11 @@ bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}

+	// ARP packets are considered processed if we get to this point. There may be issues
+	// with the processing of them, but they're actually an ARP packet and anything else
+	// will be reported via events.
+	packet->processed = true;
+
 	// Check the address description fields.
 	switch ( ntohs(ah->ar_hrd) )
 		{
--- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
+++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
@ -63,6 +63,10 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
 	if ( ! conn )
 		return false;

+	// If we successfuly made a connection for this packet that means it'll eventually
+	// get logged, which means we can mark this packet as having been processed.
+	pkt->processed = true;
+
 	bool is_orig = (tuple.src_addr == conn->OrigAddr()) && (tuple.src_port == conn->OrigPort());

 	conn->CheckFlowLabel(is_orig, ip_hdr->FlowLabel());