Merge branch 'topic/timw/2167-aruba-expansion'

* topic/timw/2167-aruba-expansion:
  Add NEWS entry about 802.11 and ARUBA changes
  Remove workaround for tunnels from IEEE 802.11 analyzer
  PPP in the GRE analyzer is actually PP*T*P
  Add support for 802.11 A-MSDU aggregates
  Fix IEEE 802.11 analyzer to properly forward tunneled packets
  Fix IEEE 802.11 analyzer to skip packets with the Protected bit enabled
  Expand support for Aruba protocol types in GRE analyzer
  Default tunnel_type in iosource::Packet to NONE

CHANGES

@@ -1,3 +1,39 @@
+6.0.0-dev.430 | 2023-04-25 11:37:44 -0700
+
+  * Merge branch 'topic/timw/2167-aruba-expansion' (Tim Wojtulewicz)
+
+    * topic/timw/2167-aruba-expansion:
+      Add NEWS entry about 802.11 and ARUBA changes
+      Remove workaround for tunnels from IEEE 802.11 analyzer
+      PPP in the GRE analyzer is actually PP*T*P
+      Add support for 802.11 A-MSDU aggregates
+      Fix IEEE 802.11 analyzer to properly forward tunneled packets
+      Fix IEEE 802.11 analyzer to skip packets with the Protected bit enabled
+      Expand support for Aruba protocol types in GRE analyzer
+      Default tunnel_type in iosource::Packet to NONE
+
+  * Add NEWS entry about 802.11 and ARUBA changes (Tim Wojtulewicz)
+
+  * Remove workaround for tunnels from IEEE 802.11 analyzer (Tim Wojtulewicz, Corelight)
+
+  * PPP in the GRE analyzer is actually PP*T*P (Tim Wojtulewicz, Corelight)
+
+  * Add support for 802.11 A-MSDU aggregates (Tim Wojtulewicz, Corelight)
+
+  * Fix IEEE 802.11 analyzer to properly forward tunneled packets (Tim Wojtulewicz, Corelight)
+
+    This mostly happens with Aruba, but could possibly happen with other tunnels too.
+
+  * Fix IEEE 802.11 analyzer to skip packets with the Protected bit enabled (Tim Wojtulewicz, Corelight)
+
+  * Expand support for Aruba protocol types in GRE analyzer (Tim Wojtulewicz, Corelight)
+
+    This also fixes the GRE analyzer to forward into the IEEE 802.11 analyzer
+    if it encounters Aruba packets with the proper protocol types. This way
+    the QoS header can be handled correctly.
+
+  * Default tunnel_type in iosource::Packet to NONE (Tim Wojtulewicz, Corelight)
+
 6.0.0-dev.421 | 2023-04-25 12:39:01 +0200
 
   * Given the -C flag, set script-layer ignore_checksums to true. (Christian Kreibich, Corelight)

NEWS

@@ -191,6 +191,11 @@ New Functionality
   Note: There is no tracking of cluster node connectivity. Thus, there is no guarantee
   that all peerings still exist at the time of these events being raised.
 
+- The IEEE 802.11 packet analyzer gains the ability to parse encapsulated A-MSDU
+  packets, instead of just dropping them. It also gains the ability to properly
+  recognize CCMP-encrypted packets. These encrypted packets are currently
+  dropped to Zeek's inability to do anything with them.
+
 Changed Functionality
 ---------------------
 
@@ -280,6 +285,9 @@ Changed Functionality
 - The ``ignore_checksums`` script variable now reflects the correct value
   when using the ``-C`` command-line flag.
 
+- Support for ARUBA GRE tunnels now covers all of the known protocol type values
+  for those tunnels.
+
 Removed Functionality
 ---------------------
 

VERSION

@@ -1 +1 @@
-6.0.0-dev.421
+6.0.0-dev.430

scripts/base/packet-protocols/iptunnel/main.zeek

@@ -3,3 +3,34 @@ module PacketAnalyzer::IPTUNNEL;
 export {
 	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
 }
+
+event zeek_init() &priority=20
+	{
+	# ARUBA is dispatched to 802.11. This currently relies on GRE to set
+	# gre_link_type = DLT_IEEE_802_11 as otherwise DLT_RAW is used.
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8200, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8210, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8220, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8230, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8240, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8250, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8260, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8270, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8280, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8290, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82A0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82B0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82C0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82D0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82E0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82F0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8300, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8310, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8320, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8330, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8340, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8350, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8360, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8370, PacketAnalyzer::ANALYZER_IEEE802_11);
+	# TODO: how to handle 0x9000 here, which should just be dropped?
+	}

src/TunnelEncapsulation.cc

@@ -3,6 +3,7 @@
 #include "zeek/TunnelEncapsulation.h"
 
 #include "zeek/Conn.h"
+#include "zeek/Reporter.h"
 #include "zeek/util.h"
 
 namespace zeek
@@ -56,4 +57,15 @@ bool operator==(const EncapsulationStack& e1, const EncapsulationStack& e2)
 	return true;
 	}
 
+void EncapsulationStack::Pop()
+	{
+	if ( Depth() == 0 )
+		{
+		reporter->InternalWarning("Attempted to pop from empty EncapsulationStack\n");
+		return;
+		}
+
+	conns->pop_back();
+	}
+
 	} // namespace zeek

src/TunnelEncapsulation.h

@@ -249,6 +249,11 @@ public:
 		return nullptr;
 		}
 
+	/**
+	 * Pops the last element off the encapsulation stack.
+	 */
+	void Pop();
+
 protected:
 	std::vector<EncapsulatingConn>* conns;
 	};

src/iosource/Packet.cc

@@ -67,7 +67,7 @@ void Packet::Init(int arg_link_type, pkt_timeval* arg_ts, uint32_t arg_caplen, u
 	ip_hdr.reset();
 
 	proto = -1;
-	tunnel_type = BifEnum::Tunnel::IP;
+	tunnel_type = BifEnum::Tunnel::NONE;
 	gre_version = -1;
 	gre_link_type = DLT_RAW;
 

src/iosource/Packet.h

@@ -250,7 +250,7 @@ public:
 	 * the type of tunnel. It is used to pass the tunnel type between the
 	 * packet analyzers during analysis.
 	 */
-	BifEnum::Tunnel::Type tunnel_type = BifEnum::Tunnel::IP;
+	BifEnum::Tunnel::Type tunnel_type = BifEnum::Tunnel::NONE;
 
 	/**
 	 * If the packet contains a GRE tunnel, this field will contain the

src/packet_analysis/protocol/gre/GRE.cc

@@ -67,7 +67,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 	unsigned int eth_len = 0;
 	unsigned int gre_len = gre_header_len(flags_ver);
-	unsigned int ppp_len = gre_version == 1 ? 4 : 0;
+	unsigned int pptp_len = gre_version == 1 ? 4 : 0;
 	unsigned int erspan_len = 0;
 
 	if ( gre_version != 0 && gre_version != 1 )
@@ -149,31 +149,27 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 				return false;
 				}
 			}
-
+		else if ( ((proto_typ & 0x8200) == 0x8200 && (proto_typ & 0x0F) == 0) ||
-		else if ( proto_typ == 0x8200 )
+		          ((proto_typ & 0x8300) == 0x8300 && (proto_typ & 0x0F) == 0 &&
+		           (proto_typ <= 0x8370)) ||
+		          (proto_typ == 0x9000) )
 			{
-			// ARUBA. Following headers seem like they're always a 26-byte 802.11 QoS header, then
+			// ARUBA: Set gre_link_type to IEEE802.11 so the IPTUNNEL analyzer uses
-			// an 8-byte LLC header, then IPv4. There's very little in the way of documentation
+			// that to instantiate the fake tunnel packet, otherwise it'd be using
-			// for ARUBA's header format. This is all based on the one sample file we have that
+			// DLT_RAW which is not correct for ARUBA.
-			// contains it.
+			if ( len <= gre_len )
-			if ( len > gre_len + 34 )
-				{
-				gre_link_type = DLT_EN10MB;
-				erspan_len = 34;
-
-				// TODO: fix this, but it's gonna require quite a bit more surgery to the GRE
-				// analyzer to make it more independent from the IPTunnel analyzer.
-				// Setting gre_version to 1 here tricks the IPTunnel analyzer into treating the
-				// first header as IP instead of Ethernet which it does by default when
-				// gre_version is 0.
-				gre_version = 1;
-				proto = (data[gre_len + 34] & 0xF0) >> 4;
-				}
-			else
 				{
 				Weird("truncated_GRE", packet);
 				return false;
 				}
+
+			gre_link_type = DLT_IEEE802_11;
+			proto = proto_typ;
+			}
+		else
+			{
+			// Otherwise let the packet analysis forwarding handle it.
+			proto = proto_typ;
 			}
 		}
 
@@ -181,7 +177,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		{
 		if ( proto_typ != 0x880b )
 			{
-			// Enhanced GRE payload must be PPP.
+			// Enhanced GRE payload must be PPTP.
 			Weird("egre_protocol_type", packet, util::fmt("proto=%d", proto_typ));
 			return false;
 			}
@@ -189,9 +185,8 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 	if ( flags_ver & 0x4000 )
 		{
-		// RFC 2784 deprecates the variable length routing field
+		// RFC 2784 deprecates the variable length routing field specified by RFC 1701. It could be
-		// specified by RFC 1701. It could be parsed here, but easiest
+		// parsed here, but easiest to just skip for now.
-		// to just skip for now.
 		Weird("gre_routing", packet);
 		return false;
 		}
@@ -203,37 +198,40 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}
 
-	if ( len < gre_len + ppp_len + eth_len + erspan_len )
+	if ( len < gre_len + pptp_len + eth_len + erspan_len )
 		{
 		Weird("truncated_GRE", packet);
 		return false;
 		}
 
-	if ( gre_version == 1 && proto_typ != 0x8200 )
+	// For GRE version 1/PPTP, reset the protocol based on a value from the PPTP header.
+	// TODO: where are these two values defined?
+	if ( gre_version == 1 )
 		{
-		uint16_t ppp_proto = ntohs(*((uint16_t*)(data + gre_len + 2)));
+		uint16_t pptp_proto = ntohs(*((uint16_t*)(data + gre_len + 2)));
 
-		if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 )
+		if ( pptp_proto != 0x0021 && pptp_proto != 0x0057 )
 			{
 			Weird("non_ip_packet_in_encap", packet);
 			return false;
 			}
 
-		proto = (ppp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6;
+		proto = (pptp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6;
 		}
 
-	data += gre_len + ppp_len + erspan_len;
+	data += gre_len + pptp_len + erspan_len;
-	len -= gre_len + ppp_len + erspan_len;
+	len -= gre_len + pptp_len + erspan_len;
 
-	// Treat GRE tunnel like IP tunnels, fallthrough to logic below now
+	// Treat GRE tunnel like IP tunnels, fallthrough to logic below now that GRE header is stripped
-	// that GRE header is stripped and only payload packet remains.
+	// and only payload packet remains.  The only thing different is the tunnel type enum value to
-	// The only thing different is the tunnel type enum value to use.
+	// use.
 	packet->tunnel_type = BifEnum::Tunnel::GRE;
 	packet->gre_version = gre_version;
 	packet->gre_link_type = gre_link_type;
 	packet->proto = proto;
 
-	ForwardPacket(len, data, packet);
+	// This will default to forwarding into IP Tunnel unless something custom is set up.
+	ForwardPacket(len, data, packet, proto);
 
 	return true;
 	}

src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc

@@ -17,6 +17,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 		}
 
 	u_char fc_80211 = data[0]; // Frame Control field
+	bool is_amsdu = false;
 
 	// Skip non-data frame types (management & control).
 	if ( ! ((fc_80211 >> 2) & 0x02) )
@@ -26,18 +27,21 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 	if ( (fc_80211 >> 4) & 0x04 )
 		return false;
 
-	// 'To DS' and 'From DS' flags set indicate use of the 4th
+	// 'To DS' and 'From DS' flags set indicate use of the 4th address field.
-	// address field.
 	if ( (data[1] & 0x03) == 0x03 )
 		len_80211 += packet->L2_ADDR_LEN;
 
 	// Look for the QoS indicator bit.
 	if ( (fc_80211 >> 4) & 0x08 )
 		{
-		// Skip in case of A-MSDU subframes indicated by QoS
+		// Store off whether this is an A-MSDU header, which indicates that there are
-		// control field.
+		// mulitple packets following the 802.11 header.
-		if ( data[len_80211] & 0x80 )
+		is_amsdu = (data[len_80211] & 0x80) == 0x80;
-			return false;
+
+		// Check for the protected bit. This means the data is encrypted and we can't
+		// do anything with it.
+		if ( data[1] & 0x40 )
+			return true;
 
 		len_80211 += 2;
 		}
@@ -48,8 +52,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 		return false;
 		}
 
-	// Determine link-layer addresses based
+	// Determine link-layer addresses based on 'To DS' and 'From DS' flags
-	// on 'To DS' and 'From DS' flags
 	switch ( data[1] & 0x03 )
 		{
 		case 0x00:
@@ -73,35 +76,101 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 			break;
 		}
 
-	// skip 802.11 data header
+	// skip the 802.11 data header
 	data += len_80211;
+	len -= len_80211;
 
-	len_80211 += 8;
+	if ( ! is_amsdu )
-	if ( len_80211 >= len )
 		{
-		Weird("truncated_802_11_header", packet);
+		return HandleInnerPacket(len, data, packet);
+		}
+	else
+		{
+		size_t amsdu_padding = 0;
+		size_t encap_index = packet->encap ? packet->encap->Depth() : 0;
+
+		while ( len > 0 )
+			{
+			if ( len < 14 )
+				{
+				Weird("truncated_802_11_amsdu_header", packet);
 				return false;
 				}
 
-	// Check that the DSAP and SSAP are both SNAP and that the control
+			// This is the length of everything after the A-MSDU subframe header.
-	// field indicates that this is an unnumbered frame.
+			size_t amsdu_len = (data[12] << 8) + data[13];
-	// The organization code (24bits) needs to also be zero to
+			if ( len < amsdu_len )
-	// indicate that this is encapsulated ethernet.
+				{
+				Weird("truncated_802_11_amsdu_packet", packet);
+				return false;
+				}
+
+			// Skip the A-MSDU subframe header. This should place us at the start of an LLC header.
+			data += 14;
+			len -= 14;
+
+			if ( ! HandleInnerPacket(amsdu_len, data, packet) )
+				{
+				Weird("invalid_802_11_amsdu_inner_packet", packet);
+				return false;
+				}
+
+			data += amsdu_len;
+			len -= amsdu_len;
+
+			// Each A-MSDU subframe is padded by up to 3 bytes to make a multiple of 4. This padding
+			// isn't included in the length field value. The padding also doesn't happen with the
+			// last subframe, so check to see that we can even subtract it. Unfortunately, there
+			// isn't a frame counter in the header so we just have trust that it all works out.
+			amsdu_padding = amsdu_len % 4;
+			if ( len >= amsdu_padding )
+				{
+				data += amsdu_padding;
+				len -= amsdu_padding;
+				}
+
+			// Pop encapsuations back up to the level where we started processing so that the next
+			// subframe gets the same encapsulation stack.
+			if ( packet->encap )
+				{
+				while ( packet->encap->Depth() > encap_index )
+					packet->encap->Pop();
+				}
+			}
+
+		return true;
+		}
+	}
+
+bool IEEE802_11Analyzer::HandleInnerPacket(size_t len, const uint8_t* data, Packet* packet) const
+	{
+	// Make sure there's room for an LLC header.
+	if ( len < 8 )
+		{
+		Weird("truncated_802_11_llc_header", packet);
+		return false;
+		}
+
+	// Check that the DSAP and SSAP are both SNAP and that the control field indicates that this is
+	// an unnumbered frame.  The organization code (24bits) needs to also be zero to indicate that
+	// this is encapsulated ethernet.
 	if ( data[0] == 0xAA && data[1] == 0xAA && data[2] == 0x03 && data[3] == 0 && data[4] == 0 &&
 	     data[5] == 0 )
 		{
 		data += 6;
+		len -= 6;
 		}
 	else
 		{
-		// If this is a logical link control frame without the
+		// If this is a logical link control frame without the possibility of having a protocol we
-		// possibility of having a protocol we care about, we'll
+		// care about, we'll just skip it for now.
-		// just skip it for now.
 		return false;
 		}
 
+	// Get the protocol and skip the rest of the LLC header.
 	uint32_t protocol = (data[0] << 8) + data[1];
 	data += 2;
+	len -= 2;
 
-	return ForwardPacket(len - len_80211, data, packet, protocol);
+	return ForwardPacket(len, data, packet, protocol);
 	}

src/packet_analysis/protocol/ieee802_11/IEEE802_11.h

@@ -20,6 +20,9 @@ public:
 		{
 		return std::make_shared<IEEE802_11Analyzer>();
 		}
+
+private:
+	bool HandleInnerPacket(size_t len, const uint8_t* data, Packet* packet) const;
 	};
 
 	}

src/packet_analysis/protocol/ip/IP.cc

@@ -2,6 +2,8 @@
 
 #include "zeek/packet_analysis/protocol/ip/IP.h"
 
+#include <netinet/in.h>
+
 #include "zeek/Discard.h"
 #include "zeek/Event.h"
 #include "zeek/Frag.h"
@@ -269,6 +271,11 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}
 
+	// If the next protocol is a tunneled type, set the tunnel_type field in the packet to IP
+	// so that it gets handled correctly.
+	if ( proto == IPPROTO_IPV4 || proto == IPPROTO_IPV6 )
+		packet->tunnel_type = BifEnum::Tunnel::IP;
+
 	switch ( proto )
 		{
 		case IPPROTO_NONE:

testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/conn.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	157.240.18.16	443	149.159.130.184	49392	tcp	-	-	-	-	OTH	F	F	0	D	2	356	0	0	CHhAvVGS1DHFjwGM9
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/tunnel.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.226.22.9	0	10.102.16.187	0	Tunnel::GRE	Tunnel::DISCOVER
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/plugins.hooks/output

@@ -662,6 +662,30 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 47, PacketAnalyzer::ANALYZER_GRE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 58, PacketAnalyzer::ANALYZER_ICMP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 6, PacketAnalyzer::ANALYZER_TCP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33280, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33296, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33312, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33328, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33344, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33360, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33376, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33392, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33408, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33424, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33440, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33456, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33472, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33488, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33504, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33520, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33536, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33552, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33568, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33584, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33600, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33616, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33632, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33648, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -2240,6 +2264,30 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 47, PacketAnalyzer::ANALYZER_GRE))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 58, PacketAnalyzer::ANALYZER_ICMP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 6, PacketAnalyzer::ANALYZER_TCP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33280, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33296, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33312, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33328, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33344, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33360, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33376, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33392, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33408, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33424, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33440, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33456, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33472, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33488, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33504, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33520, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33536, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33552, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33568, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33584, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33600, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33616, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33632, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33648, PacketAnalyzer::ANALYZER_IEEE802_11))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP))
@@ -3817,6 +3865,30 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 47, PacketAnalyzer::ANALYZER_GRE)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 58, PacketAnalyzer::ANALYZER_ICMP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 6, PacketAnalyzer::ANALYZER_TCP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33280, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33296, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33312, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33328, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33344, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33360, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33376, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33392, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33408, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33424, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33440, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33456, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33472, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33488, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33504, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33520, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33536, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33552, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33568, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33584, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33600, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33616, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33632, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33648, PacketAnalyzer::ANALYZER_IEEE802_11)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)

testing/btest/core/tunnels/gre-aruba-amsdu.zeek

@@ -0,0 +1,7 @@
+# @TEST-DOC: Tests a GRE ARUBA trace that contains IEEE 802.11 QoS A-MSDU headers. This is testing that the tunnel is detected and that the conn byte size contains both A-MSDU subframe packets.
+# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba-amsdu.pcap %INPUT
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff conn.log
+
+@load base/protocols/conn
+@load base/frameworks/tunnels

testing/btest/core/tunnels/gre-aruba-ccmp.zeek

@@ -0,0 +1,4 @@
+# @TEST-DOC: Tests a GRE ARUBA trace that contains IEEE 802.11 CCMP headers. This should report a weird about encrypted data.
+# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba-ccmp.pcap %INPUT
+
+@load base/frameworks/notice/weird