Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
16828 commits 386 branches 195 tags 256 MiB
Commit graph

43 commits

Author SHA1 Message Date
Tim Wojtulewicz
ed081212ae Merge remote-tracking branch 'origin/topic/timw/vntag-in-vlan' 
* origin/topic/timw/vntag-in-vlan:
  Add analyzer registration from VLAN to VNTAG

(cherry picked from commit cb5e3d0054)
 2025-03-18 16:18:13 -07:00
Tim Wojtulewicz
6d9d4523bc Add registration for GRE-over-UDP 2023-10-16 11:42:24 -07:00
Arne Welzel
ee12a7a6e7 PPP: Add PPP analyzer to handle LINKTYPE_PPP (0x9) 
Using pcaps from https://interop.seemann.io/ as samples for QUIC protocol
data didn't produce a conn.log for the contained data. `tcpdump -r`
and Wireshark do show the contained IP/UDP packets. Teach Zeek how
to handle link type DLT_PPP 0x09 using a new PPP analyzer based on the
PPPSerial analyzer code.

Usual update to files/x509 baseline after adding new analyzer due
to enum values changing.
 2023-08-23 16:41:19 +02:00
Tim Wojtulewicz
7aa7909c94 Add forwarding from VLAN analyzer into LLC, SNAP, and Novell 802.3 analyzers 2023-04-25 12:29:55 -07:00
Tim Wojtulewicz
c5b8603218 Remove non-standard way of forwarding out of the Ethernet analyzer 2023-04-25 12:29:55 -07:00
Tim Wojtulewicz
7e88a2b3fb Add basic LLC, SNAP, and Novell 802.3 packet analyzers 2023-04-25 12:29:54 -07:00
Tim Wojtulewicz
f62f8e5cc9 Remove workaround for tunnels from IEEE 802.11 analyzer 2023-04-25 09:28:20 -07:00
Tim Wojtulewicz
5b1c6216bd Fix IEEE 802.11 analyzer to properly forward tunneled packets 
This mostly happens with Aruba, but could possibly happen with other tunnels too.
 2023-04-25 09:28:20 -07:00
Tim Wojtulewicz
69d72f3bbb Expand support for Aruba protocol types in GRE analyzer 
This also fixes the GRE analyzer to forward into the IEEE 802.11 analyzer
if it encounters Aruba packets with the proper protocol types. This way
the QoS header can be handled correctly.
 2023-04-25 09:28:20 -07:00
Eldon Koyle
32afbae9db Use a default analyzer 
Use a default analyzer instead of hardcoding a protocol number.
 2023-02-16 19:39:27 -07:00
Eldon Koyle
56aa03031d Simplify PBB analyzer by using Ethernet analyzer 
After the first 4 bytes, this traffic actually just looks like Ethernet.
Rather than try to re-implement the ethernet analyzer, just check the
length, skip 4 bytes, and pass it on.
 2023-02-16 08:19:30 -07:00
Eldon Koyle
269cc15888 Cleanup and add customer MAC addresses 
* Put c-dst/c-src in l2_dst/l2_src
 * use #define instead of const int and move to PBB.h
 2023-02-10 17:42:25 -07:00
Eldon Koyle
28d540483e Add PBB (802.1ah) support 2023-02-10 15:30:01 -07:00
Arne Welzel
42be2444a7 gtpv1: Do not register for protocol detection 
While reviewing/understanding the analyzer setup, it didn't seem like
GTPv1 implements packet_analysis::Analyzer::DetectProtocol(), so
should not register it for protocol_detection either.

Alternatively, maybe DetectProtocol() should've been implemented in
which case maybe this should be an issue?
 2022-08-26 10:47:38 +02:00
Simeon Miteff
b8f0acb5f1 Add support for DLT_LINUX_SLL2 PCAP link-type 2022-08-24 10:38:31 +10:00
Tim Wojtulewicz
248325e301 Fix ethertype for ARP in Geneve forwarding rules 2021-12-09 14:58:08 -07:00
Tim Wojtulewicz
368dec8372 GH-1764: Update mappings for Geneve analyzer to IP4/IP6/ARP 2021-12-06 12:26:16 -07:00
Tim Wojtulewicz
2044fbe53b Add GTPv1 packet analyzer, disable old analyzer 2021-11-23 19:36:50 -07:00
Tim Wojtulewicz
dc0ecf9811 Add Teredo packet analyzer, disable old analyzer 2021-11-23 19:36:50 -07:00
Tim Wojtulewicz
05574ecce1 Add VXLAN packet analyzer, disable old analyzer 2021-11-23 19:36:50 -07:00
Tim Wojtulewicz
cbb0bcd49c Add Geneve packet analyzer, disable old analyzer 2021-11-23 19:36:50 -07:00
Tim Wojtulewicz
7e40094f2c Add AYIYA packet analyzer, disable old analyzer 2021-11-23 19:36:50 -07:00
Tim Wojtulewicz
44e0760e96 Add PacketAnalyzer::register_for_port(s) functions 
These allow packet analyzers to register ports as identifiers to forward from
parent analyzers, while also adding those ports to the now-global
Analyzer::ports table at the same time.
 2021-11-23 19:36:50 -07:00
Johanna Amann
8192ad581d Do not lookup ignore_checksums_nets for every packet 
This could lead to a noticeable (single-percent) performance
improvement.

Most of the functionality for this is in the packet analyzers that now
cache ignore_chesksums_nets.

Based on a patch by Arne Welzel (Corelight).
 2021-08-06 10:32:53 +01:00
Tim Wojtulewicz
c1f0d312b5 Add base class for IP-based packet analyzers 2021-05-18 11:52:03 -07:00
Tim Wojtulewicz
0c3e3069d0 Added skeletons for TCP/UDP/ICMP packet analysis plugins. 
This includes integration into the IP plugin and calling of the sessions code from each plugin.
 2021-05-18 11:52:03 -07:00
Tim Wojtulewicz
f53448ccc9 GH-1389: Skip VN-Tag headers 2021-02-01 14:34:56 -07:00
Tim Wojtulewicz
efe42bc67b Remove default_analyzer for Ethernet packet analzyer 2020-11-09 19:54:45 -07:00
Tim Wojtulewicz
cd06bf34c7 GH-1215: Remove dispatch_map from packet analysis, replace with BIF methods for registering dispatches 2020-11-02 19:03:25 +00:00
Tim Wojtulewicz
1cf251d1ca Move IP and IP tunnel code from Sessions into packet analyzers 2020-10-15 12:18:30 -07:00
Jon Siwek
cee10b5dc6 Fix a Sphinx warning about misformatted packet analyzer comment 2020-09-23 22:52:35 -07:00
Jan Grashoefer
7ede4f48bd Simplify packet analyzer config. 2020-09-23 11:13:29 -07:00
Jan Grashoefer
efa262a229 Make default packet analyzer definition explicit. 2020-09-23 11:13:29 -07:00
Jan Grashoefer
8f951574d7 Add explicit root analyzer for packet analysis. 2020-09-23 11:13:29 -07:00
Jan Grashoefer
3f3f00030d Simplify MPLS analysis. 2020-09-23 11:13:29 -07:00
Jan Grashoefer
d5ca0f9da5 Rename DefaultAnalyzer to IP. 2020-09-23 11:13:28 -07:00
Jan Grashoefer
fc814bd7e2 Add SkipAnalyzer. 
This is WIP: The test case would require a new pcap or the possibility
to overwrite analyzer mappings. The CustomEncapsulationSkip method and
the corresponding options need to be removed.
 2020-09-23 11:13:28 -07:00
Jan Grashoefer
4aeab7402d Improve naming in packet analysis. 2020-09-23 11:13:28 -07:00
Jan Grashoefer
6365fa6d80 Migrate all packet analyzers to new API. 2020-09-23 11:13:28 -07:00
Jan Grashoefer
cbdaa53f85 Remove magic identifiers from Ethernet analyzer. 2020-09-23 11:13:28 -07:00
Jan Grashoefer
462b1fe3a2 Bring back default packet analysis. 
Default analyzers can be configured per packet analyzer by omitting the
identifier in the ConfigEntry.
 2020-09-23 11:13:28 -07:00
Jan Grashoefer
9feda100b9 Move dispatching into packet analyzers. 
WIP that updates only the Ethernet analyzer.
 2020-09-23 11:13:28 -07:00
Jan Grashoefer
e53ec46c23 Renamed LL-Analyzers to Packet Analyzers. 2020-09-23 11:13:28 -07:00