From 1e6cc76c836e79e8a0cd235c45c0dd6148b7687d Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Fri, 14 Apr 2023 09:17:01 -0700
Subject: [PATCH 1/8] Default tunnel_type in iosource::Packet to NONE

---
 src/iosource/Packet.cc                | 2 +-
 src/iosource/Packet.h                 | 2 +-
 src/packet_analysis/protocol/ip/IP.cc | 7 +++++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index e9edcab241..0a17a78968 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -67,7 +67,7 @@ void Packet::Init(int arg_link_type, pkt_timeval* arg_ts, uint32_t arg_caplen, u
 	ip_hdr.reset();
 
 	proto = -1;
-	tunnel_type = BifEnum::Tunnel::IP;
+	tunnel_type = BifEnum::Tunnel::NONE;
 	gre_version = -1;
 	gre_link_type = DLT_RAW;
 
diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h
index 2719047415..bf5c221bd9 100644
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@@ -250,7 +250,7 @@ public:
 	 * the type of tunnel. It is used to pass the tunnel type between the
 	 * packet analyzers during analysis.
 	 */
-	BifEnum::Tunnel::Type tunnel_type = BifEnum::Tunnel::IP;
+	BifEnum::Tunnel::Type tunnel_type = BifEnum::Tunnel::NONE;
 
 	/**
 	 * If the packet contains a GRE tunnel, this field will contain the
diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc
index ec2c6dcdc0..0fd7537197 100644
--- a/src/packet_analysis/protocol/ip/IP.cc
+++ b/src/packet_analysis/protocol/ip/IP.cc
@@ -2,6 +2,8 @@
 
 #include "zeek/packet_analysis/protocol/ip/IP.h"
 
+#include <netinet/in.h>
+
 #include "zeek/Discard.h"
 #include "zeek/Event.h"
 #include "zeek/Frag.h"
@@ -269,6 +271,11 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}
 
+	// If the next protocol is a tunneled type, set the tunnel_type field in the packet to IP
+	// so that it gets handled correctly.
+	if ( proto == IPPROTO_IPV4 || proto == IPPROTO_IPV6 )
+		packet->tunnel_type = BifEnum::Tunnel::IP;
+
 	switch ( proto )
 		{
 		case IPPROTO_NONE:

From 69d72f3bbbd178af5a6c5c49ec376e055eb99355 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 13 Apr 2023 15:48:38 -0700
Subject: [PATCH 2/8] Expand support for Aruba protocol types in GRE analyzer

This also fixes the GRE analyzer to forward into the IEEE 802.11 analyzer
if it encounters Aruba packets with the proper protocol types. This way
the QoS header can be handled correctly.
---
 scripts/base/packet-protocols/gre/main.zeek | 30 ++++++++++++++
 src/packet_analysis/protocol/gre/GRE.cc     | 45 ++++++---------------
 2 files changed, 43 insertions(+), 32 deletions(-)

diff --git a/scripts/base/packet-protocols/gre/main.zeek b/scripts/base/packet-protocols/gre/main.zeek
index 9039ff4dfb..da15dd125a 100644
--- a/scripts/base/packet-protocols/gre/main.zeek
+++ b/scripts/base/packet-protocols/gre/main.zeek
@@ -3,3 +3,33 @@ module PacketAnalyzer::GRE;
 export {
 	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IPTUNNEL &redef;
 }
+
+event zeek_init() &priority=20
+	{
+	# ARUBA
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8200, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8210, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8220, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8230, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8240, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8250, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8260, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8270, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8280, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8290, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82A0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82B0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82C0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82D0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82E0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82F0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8300, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8310, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8320, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8330, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8340, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8350, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8360, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8370, PacketAnalyzer::ANALYZER_IEEE802_11);
+	# TODO: how to handle 0x9000 here, which should just be dropped?
+	}
\ No newline at end of file
diff --git a/src/packet_analysis/protocol/gre/GRE.cc b/src/packet_analysis/protocol/gre/GRE.cc
index 4eefff20e8..b130097931 100644
--- a/src/packet_analysis/protocol/gre/GRE.cc
+++ b/src/packet_analysis/protocol/gre/GRE.cc
@@ -149,31 +149,10 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 				return false;
 				}
 			}
-
-		else if ( proto_typ == 0x8200 )
+		else
 			{
-			// ARUBA. Following headers seem like they're always a 26-byte 802.11 QoS header, then
-			// an 8-byte LLC header, then IPv4. There's very little in the way of documentation
-			// for ARUBA's header format. This is all based on the one sample file we have that
-			// contains it.
-			if ( len > gre_len + 34 )
-				{
-				gre_link_type = DLT_EN10MB;
-				erspan_len = 34;
-
-				// TODO: fix this, but it's gonna require quite a bit more surgery to the GRE
-				// analyzer to make it more independent from the IPTunnel analyzer.
-				// Setting gre_version to 1 here tricks the IPTunnel analyzer into treating the
-				// first header as IP instead of Ethernet which it does by default when
-				// gre_version is 0.
-				gre_version = 1;
-				proto = (data[gre_len + 34] & 0xF0) >> 4;
-				}
-			else
-				{
-				Weird("truncated_GRE", packet);
-				return false;
-				}
+			// Otherwise let the packet analysis forwarding handle it.
+			proto = proto_typ;
 			}
 		}
 
@@ -189,9 +168,8 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 	if ( flags_ver & 0x4000 )
 		{
-		// RFC 2784 deprecates the variable length routing field
-		// specified by RFC 1701. It could be parsed here, but easiest
-		// to just skip for now.
+		// RFC 2784 deprecates the variable length routing field specified by RFC 1701. It could be
+		// parsed here, but easiest to just skip for now.
 		Weird("gre_routing", packet);
 		return false;
 		}
@@ -209,7 +187,9 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}
 
-	if ( gre_version == 1 && proto_typ != 0x8200 )
+	// For GRE version 1/PPP, reset the protocol based on a value from the PPP header.
+	// TODO: where are these two values defined?
+	if ( gre_version == 1 )
 		{
 		uint16_t ppp_proto = ntohs(*((uint16_t*)(data + gre_len + 2)));
 
@@ -225,15 +205,16 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	data += gre_len + ppp_len + erspan_len;
 	len -= gre_len + ppp_len + erspan_len;
 
-	// Treat GRE tunnel like IP tunnels, fallthrough to logic below now
-	// that GRE header is stripped and only payload packet remains.
-	// The only thing different is the tunnel type enum value to use.
+	// Treat GRE tunnel like IP tunnels, fallthrough to logic below now that GRE header is stripped
+	// and only payload packet remains.  The only thing different is the tunnel type enum value to
+	// use.
 	packet->tunnel_type = BifEnum::Tunnel::GRE;
 	packet->gre_version = gre_version;
 	packet->gre_link_type = gre_link_type;
 	packet->proto = proto;
 
-	ForwardPacket(len, data, packet);
+	// This will default to forwarding into IP Tunnel unless something custom is set up.
+	ForwardPacket(len, data, packet, proto);
 
 	return true;
 	}

From e4a1c308288d74a6ba7214f3d4909597906365f9 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 13 Apr 2023 15:48:06 -0700
Subject: [PATCH 3/8] Fix IEEE 802.11 analyzer to skip packets with the
 Protected bit enabled

---
 .../protocol/ieee802_11/IEEE802_11.cc         |  26 +++++++++---------
 .../btest/Traces/tunnels/gre-aruba-ccmp.pcap  | Bin 0 -> 692 bytes
 .../btest/core/tunnels/gre-aruba-ccmp.zeek    |   5 ++++
 3 files changed, 18 insertions(+), 13 deletions(-)
 create mode 100644 testing/btest/Traces/tunnels/gre-aruba-ccmp.pcap
 create mode 100644 testing/btest/core/tunnels/gre-aruba-ccmp.zeek

diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
index ad1ce796f2..edc04e08d0 100644
--- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
+++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
@@ -26,19 +26,22 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 	if ( (fc_80211 >> 4) & 0x04 )
 		return false;
 
-	// 'To DS' and 'From DS' flags set indicate use of the 4th
-	// address field.
+	// 'To DS' and 'From DS' flags set indicate use of the 4th address field.
 	if ( (data[1] & 0x03) == 0x03 )
 		len_80211 += packet->L2_ADDR_LEN;
 
 	// Look for the QoS indicator bit.
 	if ( (fc_80211 >> 4) & 0x08 )
 		{
-		// Skip in case of A-MSDU subframes indicated by QoS
-		// control field.
+		// Skip in case of A-MSDU subframes indicated by QoS control field.
 		if ( data[len_80211] & 0x80 )
 			return false;
 
+		// Check for the protected bit. This means the data is encrypted and we can't
+		// do anything with it.
+		if ( data[1] & 0x40 )
+			return true;
+
 		len_80211 += 2;
 		}
 
@@ -48,8 +51,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 		return false;
 		}
 
-	// Determine link-layer addresses based
-	// on 'To DS' and 'From DS' flags
+	// Determine link-layer addresses based on 'To DS' and 'From DS' flags
 	switch ( data[1] & 0x03 )
 		{
 		case 0x00:
@@ -83,10 +85,9 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 		return false;
 		}
 
-	// Check that the DSAP and SSAP are both SNAP and that the control
-	// field indicates that this is an unnumbered frame.
-	// The organization code (24bits) needs to also be zero to
-	// indicate that this is encapsulated ethernet.
+	// Check that the DSAP and SSAP are both SNAP and that the control field indicates that this is
+	// an unnumbered frame.  The organization code (24bits) needs to also be zero to indicate that
+	// this is encapsulated ethernet.
 	if ( data[0] == 0xAA && data[1] == 0xAA && data[2] == 0x03 && data[3] == 0 && data[4] == 0 &&
 	     data[5] == 0 )
 		{
@@ -94,9 +95,8 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 		}
 	else
 		{
-		// If this is a logical link control frame without the
-		// possibility of having a protocol we care about, we'll
-		// just skip it for now.
+		// If this is a logical link control frame without the possibility of having a protocol we
+		// care about, we'll just skip it for now.
 		return false;
 		}
 
diff --git a/testing/btest/Traces/tunnels/gre-aruba-ccmp.pcap b/testing/btest/Traces/tunnels/gre-aruba-ccmp.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..8a032644216bea34baccfd9279cfc39bcd18bead
GIT binary patch
literal 692
zcmca|c+)~A1{MYcU}0bca;zqOOX_vuV6X#nK$w9cj)9SpK}wG4--bp81~Co>R|ZBM
zkoZ6S`o~<4#5lRq1o9aeni)ErW=YLhpL(igzr*8eNk0yBJosF{?f^(-VgZ8!$f&|8
zhO51WUYOLJc+YQo%I)<giEifi=WDdY&hdoGSqOKC*Q8YEEOR$he8u9iDAuV=SxEBt
zqlXP&uDpJ`)BBh<<29+uKgT}!@fPsydGb?A{QHXPqvu5rd-mzErsz+f`{3b)^?mia
zU(Gb{e46jZbH`9$Uo6h9FTY}vxYE-^2`9E3C(Uc6om0bVwh1kd=)V5=amD_U30#_I
zSBGjGo$Qqx5GFqLtP|h<9qBUtkA8GTGEX~fmU%V9_vP_z-*;L2yl9jCBk8jF>WoQm
zx5(BdE!@!KHNB|rENgk~O`o*lo9T@?i?UiXKbbr7i$&UBarngMzb4`UC^Q!$g(fg$
Z&gu6+LZ*>{<3A!a|LQl4h9-f~1OPdrCN2N~

literal 0
HcmV?d00001

diff --git a/testing/btest/core/tunnels/gre-aruba-ccmp.zeek b/testing/btest/core/tunnels/gre-aruba-ccmp.zeek
new file mode 100644
index 0000000000..5ef3060638
--- /dev/null
+++ b/testing/btest/core/tunnels/gre-aruba-ccmp.zeek
@@ -0,0 +1,5 @@
+# @TEST-DOC: Tests a GRE ARUBA trace that contains IEEE 802.11 CCMP headers. This should report a weird about encrypted data.
+# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba-ccmp.pcap %INPUT
+# @TEST-EXEC: btest-diff weird.log
+
+@load base/frameworks/notice/weird

From 5b1c6216bd69e47a3ebdc27ecc3382a2ae5a9b07 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 13 Apr 2023 17:11:23 -0700
Subject: [PATCH 4/8] Fix IEEE 802.11 analyzer to properly forward tunneled
 packets

This mostly happens with Aruba, but could possibly happen with other tunnels too.
---
 scripts/base/packet-protocols/ieee802_11/main.zeek |  4 ++++
 .../protocol/ieee802_11/IEEE802_11.cc              | 14 +++++++++++++-
 testing/btest/Baseline/plugins.hooks/output        |  9 +++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/scripts/base/packet-protocols/ieee802_11/main.zeek b/scripts/base/packet-protocols/ieee802_11/main.zeek
index 426497f5a1..9a58f5502f 100644
--- a/scripts/base/packet-protocols/ieee802_11/main.zeek
+++ b/scripts/base/packet-protocols/ieee802_11/main.zeek
@@ -6,4 +6,8 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x86DD, PacketAnalyzer::ANALYZER_IP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x0806, PacketAnalyzer::ANALYZER_ARP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x8035, PacketAnalyzer::ANALYZER_ARP);
+
+	# IPv4 and IPv6 tunnels
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x0004, PacketAnalyzer::ANALYZER_IPTUNNEL);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x0029, PacketAnalyzer::ANALYZER_IPTUNNEL);
 	}
\ No newline at end of file
diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
index edc04e08d0..c0969ee2e0 100644
--- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
+++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
@@ -103,5 +103,17 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 	uint32_t protocol = (data[0] << 8) + data[1];
 	data += 2;
 
-	return ForwardPacket(len - len_80211, data, packet, protocol);
+	if ( packet->tunnel_type == BifEnum::Tunnel::NONE )
+		return ForwardPacket(len - len_80211, data, packet, protocol);
+	else
+		{
+		// For tunneled packets, reset the packet's protocol based on the one in the LLC header.
+		// This makes sure that the IP analyzer can process it correctly.
+		if ( protocol == 0x0800 )
+			packet->proto = IPPROTO_IPV4;
+		else if ( protocol == 0x86DD )
+			packet->proto = IPPROTO_IPV6;
+
+		return ForwardPacket(len - len_80211, data, packet, packet->proto);
+		}
 	}
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index e39717caf7..b386ac135e 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -650,10 +650,13 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GRE, 105, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 4, PacketAnalyzer::ANALYZER_IPTUNNEL)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 41, PacketAnalyzer::ANALYZER_IPTUNNEL)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, 105, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 1, PacketAnalyzer::ANALYZER_ICMP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 17, PacketAnalyzer::ANALYZER_UDP)) -> <no result>
@@ -2228,10 +2231,13 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GRE, 105, PacketAnalyzer::ANALYZER_IEEE802_11))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 34525, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 4, PacketAnalyzer::ANALYZER_IPTUNNEL))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 41, PacketAnalyzer::ANALYZER_IPTUNNEL))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, 105, PacketAnalyzer::ANALYZER_IEEE802_11))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 1, PacketAnalyzer::ANALYZER_ICMP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 17, PacketAnalyzer::ANALYZER_UDP))
@@ -3805,10 +3811,13 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 105, PacketAnalyzer::ANALYZER_IEEE802_11)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 34525, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 4, PacketAnalyzer::ANALYZER_IPTUNNEL)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 41, PacketAnalyzer::ANALYZER_IPTUNNEL)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, 105, PacketAnalyzer::ANALYZER_IEEE802_11)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 1, PacketAnalyzer::ANALYZER_ICMP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 17, PacketAnalyzer::ANALYZER_UDP)

From 2d05beac06462ab21b1b993763104594965b49b6 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Fri, 14 Apr 2023 15:01:14 -0700
Subject: [PATCH 5/8] Add support for 802.11 A-MSDU aggregates

---
 src/TunnelEncapsulation.cc                    |  12 +++
 src/TunnelEncapsulation.h                     |   5 +
 .../protocol/ieee802_11/IEEE802_11.cc         |  87 ++++++++++++++++--
 .../protocol/ieee802_11/IEEE802_11.h          |   3 +
 .../core.tunnels.gre-aruba-amsdu/conn.log     |  11 +++
 .../core.tunnels.gre-aruba-amsdu/tunnel.log   |  11 +++
 .../btest/Traces/tunnels/gre-aruba-amsdu.pcap | Bin 0 -> 509 bytes
 .../btest/core/tunnels/gre-aruba-amsdu.zeek   |   7 ++
 8 files changed, 127 insertions(+), 9 deletions(-)
 create mode 100644 testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/conn.log
 create mode 100644 testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/tunnel.log
 create mode 100644 testing/btest/Traces/tunnels/gre-aruba-amsdu.pcap
 create mode 100644 testing/btest/core/tunnels/gre-aruba-amsdu.zeek

diff --git a/src/TunnelEncapsulation.cc b/src/TunnelEncapsulation.cc
index 3bd503a85a..8fd1041ff6 100644
--- a/src/TunnelEncapsulation.cc
+++ b/src/TunnelEncapsulation.cc
@@ -3,6 +3,7 @@
 #include "zeek/TunnelEncapsulation.h"
 
 #include "zeek/Conn.h"
+#include "zeek/Reporter.h"
 #include "zeek/util.h"
 
 namespace zeek
@@ -56,4 +57,15 @@ bool operator==(const EncapsulationStack& e1, const EncapsulationStack& e2)
 	return true;
 	}
 
+void EncapsulationStack::Pop()
+	{
+	if ( Depth() == 0 )
+		{
+		reporter->InternalWarning("Attempted to pop from empty EncapsulationStack\n");
+		return;
+		}
+
+	conns->pop_back();
+	}
+
 	} // namespace zeek
diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h
index 88258e297f..2702131441 100644
--- a/src/TunnelEncapsulation.h
+++ b/src/TunnelEncapsulation.h
@@ -249,6 +249,11 @@ public:
 		return nullptr;
 		}
 
+	/**
+	 * Pops the last element off the encapsulation stack.
+	 */
+	void Pop();
+
 protected:
 	std::vector<EncapsulatingConn>* conns;
 	};
diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
index c0969ee2e0..e7e80a2545 100644
--- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
+++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
@@ -17,6 +17,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 		}
 
 	u_char fc_80211 = data[0]; // Frame Control field
+	bool is_amsdu = false;
 
 	// Skip non-data frame types (management & control).
 	if ( ! ((fc_80211 >> 2) & 0x02) )
@@ -33,9 +34,9 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 	// Look for the QoS indicator bit.
 	if ( (fc_80211 >> 4) & 0x08 )
 		{
-		// Skip in case of A-MSDU subframes indicated by QoS control field.
-		if ( data[len_80211] & 0x80 )
-			return false;
+		// Store off whether this is an A-MSDU header, which indicates that there are
+		// mulitple packets following the 802.11 header.
+		is_amsdu = (data[len_80211] & 0x80) == 0x80;
 
 		// Check for the protected bit. This means the data is encrypted and we can't
 		// do anything with it.
@@ -75,13 +76,78 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 			break;
 		}
 
-	// skip 802.11 data header
+	// skip the 802.11 data header
 	data += len_80211;
+	len -= len_80211;
 
-	len_80211 += 8;
-	if ( len_80211 >= len )
+	if ( ! is_amsdu )
 		{
-		Weird("truncated_802_11_header", packet);
+		return HandleInnerPacket(len, data, packet);
+		}
+	else
+		{
+		size_t amsdu_padding = 0;
+		size_t encap_index = packet->encap ? packet->encap->Depth() : 0;
+
+		while ( len > 0 )
+			{
+			if ( len < 14 )
+				{
+				Weird("truncated_802_11_amsdu_header", packet);
+				return false;
+				}
+
+			// This is the length of everything after the A-MSDU subframe header.
+			size_t amsdu_len = (data[12] << 8) + data[13];
+			if ( len < amsdu_len )
+				{
+				Weird("truncated_802_11_amsdu_packet", packet);
+				return false;
+				}
+
+			// Skip the A-MSDU subframe header. This should place us at the start of an LLC header.
+			data += 14;
+			len -= 14;
+
+			if ( ! HandleInnerPacket(amsdu_len, data, packet) )
+				{
+				Weird("invalid_802_11_amsdu_inner_packet", packet);
+				return false;
+				}
+
+			data += amsdu_len;
+			len -= amsdu_len;
+
+			// Each A-MSDU subframe is padded by up to 3 bytes to make a multiple of 4. This padding
+			// isn't included in the length field value. The padding also doesn't happen with the
+			// last subframe, so check to see that we can even subtract it. Unfortunately, there
+			// isn't a frame counter in the header so we just have trust that it all works out.
+			amsdu_padding = amsdu_len % 4;
+			if ( len >= amsdu_padding )
+				{
+				data += amsdu_padding;
+				len -= amsdu_padding;
+				}
+
+			// Pop encapsuations back up to the level where we started processing so that the next
+			// subframe gets the same encapsulation stack.
+			if ( packet->encap )
+				{
+				while ( packet->encap->Depth() > encap_index )
+					packet->encap->Pop();
+				}
+			}
+
+		return true;
+		}
+	}
+
+bool IEEE802_11Analyzer::HandleInnerPacket(size_t len, const uint8_t* data, Packet* packet) const
+	{
+	// Make sure there's room for an LLC header.
+	if ( len < 8 )
+		{
+		Weird("truncated_802_11_llc_header", packet);
 		return false;
 		}
 
@@ -92,6 +158,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 	     data[5] == 0 )
 		{
 		data += 6;
+		len -= 6;
 		}
 	else
 		{
@@ -100,11 +167,13 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 		return false;
 		}
 
+	// Get the protocol and skip the rest of the LLC header.
 	uint32_t protocol = (data[0] << 8) + data[1];
 	data += 2;
+	len -= 2;
 
 	if ( packet->tunnel_type == BifEnum::Tunnel::NONE )
-		return ForwardPacket(len - len_80211, data, packet, protocol);
+		return ForwardPacket(len, data, packet, protocol);
 	else
 		{
 		// For tunneled packets, reset the packet's protocol based on the one in the LLC header.
@@ -114,6 +183,6 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 		else if ( protocol == 0x86DD )
 			packet->proto = IPPROTO_IPV6;
 
-		return ForwardPacket(len - len_80211, data, packet, packet->proto);
+		return ForwardPacket(len, data, packet, packet->proto);
 		}
 	}
diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h
index 282c76bbaf..23307c3d27 100644
--- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h
+++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h
@@ -20,6 +20,9 @@ public:
 		{
 		return std::make_shared<IEEE802_11Analyzer>();
 		}
+
+private:
+	bool HandleInnerPacket(size_t len, const uint8_t* data, Packet* packet) const;
 	};
 
 	}
diff --git a/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/conn.log b/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/conn.log
new file mode 100644
index 0000000000..66e2c52380
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/conn.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	157.240.18.16	443	149.159.130.184	49392	tcp	-	-	-	-	OTH	F	F	0	D	2	356	0	0	CHhAvVGS1DHFjwGM9
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/tunnel.log b/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/tunnel.log
new file mode 100644
index 0000000000..a1529d17cf
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/tunnel.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.226.22.9	0	10.102.16.187	0	Tunnel::GRE	Tunnel::DISCOVER
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/tunnels/gre-aruba-amsdu.pcap b/testing/btest/Traces/tunnels/gre-aruba-amsdu.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..064d87bcc87af0abb22c358d8c5152825374e7c2
GIT binary patch
literal 509
zcmca|c+)~A1{MYcU}0bca%?7jOL}I@%y1RR0bvG)I0i;W1}QnFe;XPZ7{oXjTp1V-
zgT(*o*E4WE6654b6WGnb(B#m;#K4dy>S5#l+~M)HlrK{{9(=A}cYuMR0V)dNGb*lH
z#SGL9Hb?SsxdTH8+bsUMAA|&^&Trbmxck6|$wDb&>(-vuXpmq!p}L#_Xgdej)_uy4
zI?ay=i!(DbJougNzsdXbjrVK9J4N>I<I&0}JlV?lhO3G@PhgFD(B@{FyQk$D46icf
z@|3^2{j)Md^Vpop6PQBSo-dqzSLWin=S#OL*%ffDIsLivfWK#~_1<~bho{boZk~3(
zeh>FI-<tcPAv^tIWV64AOw(JjJ(<zkN+PY!RkSND=|;wxETt5kzc*k1NjW6<Zqxi2
zGp%nu(f_9va81(Q%zd@peDAvL!W-`hm+9SDYqV`u_3Q&|zhd&PuXJ-*^jgfWx-zR|
zN(tA!8wL+E1lYpGig_hcwVAf^pICWf<&DPb3X#Q&Uy2o;FDi$GA~gJh5#hz)eYgS~
sUU$&K>o+*O1ei{w?1P8bV_0|z9b3Ge{oM<R*5vOi?mQ1U?!j&X09dTdUH||9

literal 0
HcmV?d00001

diff --git a/testing/btest/core/tunnels/gre-aruba-amsdu.zeek b/testing/btest/core/tunnels/gre-aruba-amsdu.zeek
new file mode 100644
index 0000000000..975c96a871
--- /dev/null
+++ b/testing/btest/core/tunnels/gre-aruba-amsdu.zeek
@@ -0,0 +1,7 @@
+# @TEST-DOC: Tests a GRE ARUBA trace that contains IEEE 802.11 QoS A-MSDU headers. This is testing that the tunnel is detected and that the conn byte size contains both A-MSDU subframe packets.
+# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba-amsdu.pcap %INPUT
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff conn.log
+
+@load base/protocols/conn
+@load base/frameworks/tunnels

From 934207c05b2abb5c16d360c7b1e92c72812821e7 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 20 Apr 2023 17:13:41 -0700
Subject: [PATCH 6/8] PPP in the GRE analyzer is actually PP*T*P

---
 src/packet_analysis/protocol/gre/GRE.cc | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/packet_analysis/protocol/gre/GRE.cc b/src/packet_analysis/protocol/gre/GRE.cc
index b130097931..7d7ca0f541 100644
--- a/src/packet_analysis/protocol/gre/GRE.cc
+++ b/src/packet_analysis/protocol/gre/GRE.cc
@@ -67,7 +67,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 	unsigned int eth_len = 0;
 	unsigned int gre_len = gre_header_len(flags_ver);
-	unsigned int ppp_len = gre_version == 1 ? 4 : 0;
+	unsigned int pptp_len = gre_version == 1 ? 4 : 0;
 	unsigned int erspan_len = 0;
 
 	if ( gre_version != 0 && gre_version != 1 )
@@ -160,7 +160,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		{
 		if ( proto_typ != 0x880b )
 			{
-			// Enhanced GRE payload must be PPP.
+			// Enhanced GRE payload must be PPTP.
 			Weird("egre_protocol_type", packet, util::fmt("proto=%d", proto_typ));
 			return false;
 			}
@@ -181,29 +181,29 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}
 
-	if ( len < gre_len + ppp_len + eth_len + erspan_len )
+	if ( len < gre_len + pptp_len + eth_len + erspan_len )
 		{
 		Weird("truncated_GRE", packet);
 		return false;
 		}
 
-	// For GRE version 1/PPP, reset the protocol based on a value from the PPP header.
+	// For GRE version 1/PPTP, reset the protocol based on a value from the PPTP header.
 	// TODO: where are these two values defined?
 	if ( gre_version == 1 )
 		{
-		uint16_t ppp_proto = ntohs(*((uint16_t*)(data + gre_len + 2)));
+		uint16_t pptp_proto = ntohs(*((uint16_t*)(data + gre_len + 2)));
 
-		if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 )
+		if ( pptp_proto != 0x0021 && pptp_proto != 0x0057 )
 			{
 			Weird("non_ip_packet_in_encap", packet);
 			return false;
 			}
 
-		proto = (ppp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6;
+		proto = (pptp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6;
 		}
 
-	data += gre_len + ppp_len + erspan_len;
-	len -= gre_len + ppp_len + erspan_len;
+	data += gre_len + pptp_len + erspan_len;
+	len -= gre_len + pptp_len + erspan_len;
 
 	// Treat GRE tunnel like IP tunnels, fallthrough to logic below now that GRE header is stripped
 	// and only payload packet remains.  The only thing different is the tunnel type enum value to

From f62f8e5cc9723891f3ae5fb499ad4bdf1c5a3791 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 24 Apr 2023 14:43:44 -0700
Subject: [PATCH 7/8] Remove workaround for tunnels from IEEE 802.11 analyzer

---
 scripts/base/packet-protocols/gre/main.zeek   | 30 -------
 .../packet-protocols/ieee802_11/main.zeek     |  4 -
 .../base/packet-protocols/iptunnel/main.zeek  | 31 +++++++
 src/packet_analysis/protocol/gre/GRE.cc       | 17 ++++
 .../protocol/ieee802_11/IEEE802_11.cc         | 14 +---
 testing/btest/Baseline/plugins.hooks/output   | 81 ++++++++++++++++---
 .../btest/core/tunnels/gre-aruba-ccmp.zeek    |  1 -
 7 files changed, 121 insertions(+), 57 deletions(-)

diff --git a/scripts/base/packet-protocols/gre/main.zeek b/scripts/base/packet-protocols/gre/main.zeek
index da15dd125a..9039ff4dfb 100644
--- a/scripts/base/packet-protocols/gre/main.zeek
+++ b/scripts/base/packet-protocols/gre/main.zeek
@@ -3,33 +3,3 @@ module PacketAnalyzer::GRE;
 export {
 	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IPTUNNEL &redef;
 }
-
-event zeek_init() &priority=20
-	{
-	# ARUBA
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8200, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8210, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8220, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8230, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8240, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8250, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8260, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8270, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8280, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8290, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82A0, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82B0, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82C0, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82D0, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82E0, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82F0, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8300, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8310, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8320, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8330, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8340, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8350, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8360, PacketAnalyzer::ANALYZER_IEEE802_11);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8370, PacketAnalyzer::ANALYZER_IEEE802_11);
-	# TODO: how to handle 0x9000 here, which should just be dropped?
-	}
\ No newline at end of file
diff --git a/scripts/base/packet-protocols/ieee802_11/main.zeek b/scripts/base/packet-protocols/ieee802_11/main.zeek
index 9a58f5502f..426497f5a1 100644
--- a/scripts/base/packet-protocols/ieee802_11/main.zeek
+++ b/scripts/base/packet-protocols/ieee802_11/main.zeek
@@ -6,8 +6,4 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x86DD, PacketAnalyzer::ANALYZER_IP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x0806, PacketAnalyzer::ANALYZER_ARP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x8035, PacketAnalyzer::ANALYZER_ARP);
-
-	# IPv4 and IPv6 tunnels
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x0004, PacketAnalyzer::ANALYZER_IPTUNNEL);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 0x0029, PacketAnalyzer::ANALYZER_IPTUNNEL);
 	}
\ No newline at end of file
diff --git a/scripts/base/packet-protocols/iptunnel/main.zeek b/scripts/base/packet-protocols/iptunnel/main.zeek
index d219c92522..79204f7084 100644
--- a/scripts/base/packet-protocols/iptunnel/main.zeek
+++ b/scripts/base/packet-protocols/iptunnel/main.zeek
@@ -3,3 +3,34 @@ module PacketAnalyzer::IPTUNNEL;
 export {
 	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
 }
+
+event zeek_init() &priority=20
+	{
+	# ARUBA is dispatched to 802.11. This currently relies on GRE to set
+	# gre_link_type = DLT_IEEE_802_11 as otherwise DLT_RAW is used.
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8200, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8210, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8220, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8230, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8240, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8250, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8260, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8270, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8280, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8290, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82A0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82B0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82C0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82D0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82E0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82F0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8300, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8310, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8320, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8330, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8340, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8350, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8360, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8370, PacketAnalyzer::ANALYZER_IEEE802_11);
+	# TODO: how to handle 0x9000 here, which should just be dropped?
+	}
diff --git a/src/packet_analysis/protocol/gre/GRE.cc b/src/packet_analysis/protocol/gre/GRE.cc
index 7d7ca0f541..9c1cf311ed 100644
--- a/src/packet_analysis/protocol/gre/GRE.cc
+++ b/src/packet_analysis/protocol/gre/GRE.cc
@@ -149,6 +149,23 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 				return false;
 				}
 			}
+		else if ( ((proto_typ & 0x8200) == 0x8200 && (proto_typ & 0x0F) == 0) ||
+		          ((proto_typ & 0x8300) == 0x8300 && (proto_typ & 0x0F) == 0 &&
+		           (proto_typ <= 0x8370)) ||
+		          (proto_typ == 0x9000) )
+			{
+			// ARUBA: Set gre_link_type to IEEE802.11 so the IPTUNNEL analyzer uses
+			// that to instantiate the fake tunnel packet, otherwise it'd be using
+			// DLT_RAW which is not correct for ARUBA.
+			if ( len <= gre_len )
+				{
+				Weird("truncated_GRE", packet);
+				return false;
+				}
+
+			gre_link_type = DLT_IEEE802_11;
+			proto = proto_typ;
+			}
 		else
 			{
 			// Otherwise let the packet analysis forwarding handle it.
diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
index e7e80a2545..df9a8b0f26 100644
--- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
+++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
@@ -172,17 +172,5 @@ bool IEEE802_11Analyzer::HandleInnerPacket(size_t len, const uint8_t* data, Pack
 	data += 2;
 	len -= 2;
 
-	if ( packet->tunnel_type == BifEnum::Tunnel::NONE )
-		return ForwardPacket(len, data, packet, protocol);
-	else
-		{
-		// For tunneled packets, reset the packet's protocol based on the one in the LLC header.
-		// This makes sure that the IP analyzer can process it correctly.
-		if ( protocol == 0x0800 )
-			packet->proto = IPPROTO_IPV4;
-		else if ( protocol == 0x86DD )
-			packet->proto = IPPROTO_IPV6;
-
-		return ForwardPacket(len, data, packet, packet->proto);
-		}
+	return ForwardPacket(len, data, packet, protocol);
 	}
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index b386ac135e..69a57112af 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -650,13 +650,10 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GRE, 105, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 4, PacketAnalyzer::ANALYZER_IPTUNNEL)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 41, PacketAnalyzer::ANALYZER_IPTUNNEL)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, 105, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 1, PacketAnalyzer::ANALYZER_ICMP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 17, PacketAnalyzer::ANALYZER_UDP)) -> <no result>
@@ -665,6 +662,30 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 47, PacketAnalyzer::ANALYZER_GRE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 58, PacketAnalyzer::ANALYZER_ICMP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 6, PacketAnalyzer::ANALYZER_TCP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33280, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33296, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33312, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33328, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33344, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33360, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33376, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33392, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33408, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33424, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33440, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33456, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33472, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33488, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33504, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33520, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33536, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33552, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33568, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33584, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33600, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33616, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33632, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33648, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -2231,13 +2252,10 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GRE, 105, PacketAnalyzer::ANALYZER_IEEE802_11))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 34525, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 4, PacketAnalyzer::ANALYZER_IPTUNNEL))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 41, PacketAnalyzer::ANALYZER_IPTUNNEL))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, 105, PacketAnalyzer::ANALYZER_IEEE802_11))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 1, PacketAnalyzer::ANALYZER_ICMP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 17, PacketAnalyzer::ANALYZER_UDP))
@@ -2246,6 +2264,30 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 47, PacketAnalyzer::ANALYZER_GRE))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 58, PacketAnalyzer::ANALYZER_ICMP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 6, PacketAnalyzer::ANALYZER_TCP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33280, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33296, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33312, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33328, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33344, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33360, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33376, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33392, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33408, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33424, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33440, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33456, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33472, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33488, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33504, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33520, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33536, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33552, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33568, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33584, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33600, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33616, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33632, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33648, PacketAnalyzer::ANALYZER_IEEE802_11))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP))
@@ -3811,13 +3853,10 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 105, PacketAnalyzer::ANALYZER_IEEE802_11)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 34525, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 4, PacketAnalyzer::ANALYZER_IPTUNNEL)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 41, PacketAnalyzer::ANALYZER_IPTUNNEL)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, 105, PacketAnalyzer::ANALYZER_IEEE802_11)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 1, PacketAnalyzer::ANALYZER_ICMP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 17, PacketAnalyzer::ANALYZER_UDP)
@@ -3826,6 +3865,30 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 47, PacketAnalyzer::ANALYZER_GRE)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 58, PacketAnalyzer::ANALYZER_ICMP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 6, PacketAnalyzer::ANALYZER_TCP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33280, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33296, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33312, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33328, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33344, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33360, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33376, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33392, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33408, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33424, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33440, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33456, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33472, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33488, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33504, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33520, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33536, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33552, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33568, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33584, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33600, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33616, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33632, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33648, PacketAnalyzer::ANALYZER_IEEE802_11)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)
diff --git a/testing/btest/core/tunnels/gre-aruba-ccmp.zeek b/testing/btest/core/tunnels/gre-aruba-ccmp.zeek
index 5ef3060638..3f095ab6a1 100644
--- a/testing/btest/core/tunnels/gre-aruba-ccmp.zeek
+++ b/testing/btest/core/tunnels/gre-aruba-ccmp.zeek
@@ -1,5 +1,4 @@
 # @TEST-DOC: Tests a GRE ARUBA trace that contains IEEE 802.11 CCMP headers. This should report a weird about encrypted data.
 # @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba-ccmp.pcap %INPUT
-# @TEST-EXEC: btest-diff weird.log
 
 @load base/frameworks/notice/weird

From 43a2b39c05a389a0dc769c105e5e605af841ccce Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <timwoj@gmail.com>
Date: Tue, 25 Apr 2023 11:37:24 -0700
Subject: [PATCH 8/8] Add NEWS entry about 802.11 and ARUBA changes

---
 NEWS | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/NEWS b/NEWS
index e5f1d11595..ba16d0881e 100644
--- a/NEWS
+++ b/NEWS
@@ -191,6 +191,11 @@ New Functionality
   Note: There is no tracking of cluster node connectivity. Thus, there is no guarantee
   that all peerings still exist at the time of these events being raised.
 
+- The IEEE 802.11 packet analyzer gains the ability to parse encapsulated A-MSDU
+  packets, instead of just dropping them. It also gains the ability to properly
+  recognize CCMP-encrypted packets. These encrypted packets are currently
+  dropped to Zeek's inability to do anything with them.
+
 Changed Functionality
 ---------------------
 
@@ -280,6 +285,9 @@ Changed Functionality
 - The ``ignore_checksums`` script variable now reflects the correct value
   when using the ``-C`` command-line flag.
 
+- Support for ARUBA GRE tunnels now covers all of the known protocol type values
+  for those tunnels.
+
 Removed Functionality
 ---------------------