Broke out the stats collection into a bunch of new Bifs
in stats.bif. Scripts that use stats collection functions
have also been updated. More work to do.
- Removed the gap_report event. It wasn't used anymore
and functionally no more capable that scheduling events
and using the get_gap_summary bif.
- Added functionality to Dictionaries to count cumulative
numbers of inserts performed. This is further used to
measure the total number of connections of various types.
Previously only the number of active connections was
available.
- The Reassembler base class now tracks active reassembly
size for all subclasses (File/TCP/Frag & unknown).
- Improvements to the stats.log. Mostly, more information.
That way it can be reused more easily. This also avoid having to
change the serialization structure for packets, which is a problem as
external sources of packets (via Broccoli) wouldn't have the new
attributes available to send.
Also moving Packet.{h,cc} and Layer2.{h,cc} into iosource/, and
removing header size from properties that packet sources have to
provide, as we can now compute that easily from the link type.
Plus some more cleanup.
A bunch of infrastructure work to move IOSource, IOSourceRegistry (now
iosource::Manager) and PktSrc/PktDumper code into iosource/, and over
to a plugin structure.
Other IOSources aren't touched yet, they are still in src/*.
It compiles and does something with a small trace, but that's all I've
tested so far. There are quite certainly a number of problems left, as
well as various TODOs and cleanup; and nothing's cast in stone yet.
Will continue to work on this.
- Introducing analyzer::<protocol> namespaces.
- Moving protocol-specific events out of events.bif into analyzer/protocol/<protocol>/events.bif
- Moving ARP over (even though it's not an actual analyzer).
- Moving NetFlow over (even though it's not an actual analyzer).
- Moving MIME over (even though it's not an actual analyzer).
* origin/fastpath:
Add sorting canonifier to rotate-custom unit test. (addresses #846)
Fix compiler warnings
Fix segfault when there's an error/timeout resolving DNS requests.
Teredo bubble packets (IPv6 w/ No Next Header and zero Payload Length)
with data extending past the inner IPv6 header (the outer IPv4 header's
Total Length and UDP header's Length indicate this) now only raises
a "Teredo_payload_len_mismatch" weird instead of causing a
ProtocolViolation().
This also fixes a crash in NetSessions::ParseIPPacket() that occurred
when the packet length didn't match the payload length field.
* origin/topic/jsiwek/tunnels-merge:
Remove &synchronized from Tunnel::active table.
Refactor of interal tunnel analysis code.
Add state management of NetSessions's IP tunnel map.
Add "encap_hdr_size" option back in.
Script-layer tunnel interface cleanup.
- Pulled more common code into NetSessions::DoNextInnerPacket()
and made the pcap header it makes internally use network_time
- Remove Encapsulation class ctor from pointer
- Rename Encapsulation class to EncapsulationStack
Merge remote-tracking branch 'origin/topic/tunnels' into topic/robin/tunnels-merge
* origin/topic/tunnels: (41 commits)
Extend weird names that occur in core packet processing during decapsulation.
Add Teredo analysis option to reduce false positive decapsulation.
Just some cleanup/documentation of new tunnel-handling code.
Memory leak fixes
Add a config.h definition for IPPROTO_IPV4.
Add AYIYA tunnel decapsulation unit test.
Add Teredo-specific events.
Refactor some of the NetSessions routines that recurse on IP packets.
Add independent options to toggle the different decapsulation methods
Add more sanity checks before recursing on encapsulated IP packets.
Suppress Teredo weirds unless decapsulation was successful once before.
Tunnel support performance optimization.
Add Teredo tunnel decapsulation.
Fix for IP tunnel UID persistence.
Fix AYIYA analyzer tag.
Add summary documentation to tunnels/main.bro.
Make tunnels always identifiable by UID, tunnel.log now gets populated.
Some improvements to the AYIYA analyzer.
Remove Tunnel::decapsulate_ip option.
Remove invalid IP-in-IP encapsulated protocol value.
...
Appending a "_in_tunnel" to the weird name might help clarify that
the weird is happening with a packet that is attempting to be processed
as a result of decapsulation.
Without this change, flow labeling of connections over IPv6 are
only available in the per-packet types of events (e.g. new_packet)
in which header fields can be inspected, but now minimal tracking
of the most recent flow label is done internally and that's available
per-connection for all events that use connection record arguments.
Specifically, this adds a "flow_label" field to the "endpoint" record
type, which is used for both the "orig" and "resp" fields of
"connection" records. The new "connection_flow_label_changed" event
also allows tracking of changes in flow labels: it's raised each time
one direction of the connection starts using a different label.
- AYIYA works.
- AYIYA analyzed connections are still labelled wrong in conn.log (logged as syslog)
- Some clean up for left over code.
- Small refactoring to pass packets back from analyzers to core.
- $uid is now optional in conn logs since ip-in-ip tunnel parent's
won't have an actual connection.
UDP tunnel support removed for now, to be re-added in specific
analyzers later, but IP-in-IP is now decapsulated recursively
so nested tunnels can be seen and the inner packets get sent
through the IP fragment reassembler if necessary.
Conflicts:
doc/scripts/DocSourcesList.cmake
scripts/base/init-bare.bro
src/ConnCompressor.cc
src/Sessions.cc
Just trying to bring topic/gregor/tunnel up to date in this new branch.
Compiles, but untested.
The signatures of script-layer functions 'discarder_check_ip',
'discarder_check_tcp', 'discarder_check_udp', and 'discarder_check_icmp'
were changed to use the more general 'pkt_hdr' type as a parameter
instead of individual header types.
- The script-layer 'pkt_hdr' type is extended with a new 'ip6' field
representing the full IPv6 header chain.
- The 'new_packet' event is now raised for IPv6 packets (addresses #523)
- A new event called 'ipv6_ext_header' is raised for any IPv6 packet
containing extension headers.
- A new event called 'esp_packet' is raised for any packets using ESP
('new_packet' and 'ipv6_ext_header' events provide connection info,
but that info can't be provided here since the upper-layer payload
is encrypted).
- The 'unknown_protocol' weird is now raised more reliably when Bro
sees a transport protocol or IPv6 extension header it can't handle.
(addresses #522)
Still need to do IPv6 fragment reassembly and needs more testing.
Internally, all BROv6 preprocessor switches were removed and
addr/subnet representations wrapped in the new IPAddr/IPPrefix classes.
Some script-layer changes of note:
- dns_AAAA_reply event signature changed: the string representation
of an IPv6 addr is easily derived from the addr value, it doesn't
need to be another parameter. This event also now generated directly
by the DNS analyzer instead of being "faked" into a dns_A_reply event.
- removed addr_to_count BIF. It used to return the host-order
count representation of IPv4 addresses only. To make it more
generic, we might later add a BIF to return a vector of counts
in order to support IPv6.
- changed the result of enclosing addr variables in vertical pipes
(e.g. |my_addr|) to return the bit-width of the address type which
is 128 for IPv6 and 32 for IPv4. It used to function the same
way as addr_to_count mentioned above.
- remove bro_has_ipv6 BIF
Checkpoint.
Decapsulation happens after IP Defragmentation. The "identity" of the
enclosing tunnel (the "parent") is added to the connection record of the
child (tunneled) connection as an optional field $tunnel_parent.
* origin/topic/seth/net-stats-bif:
Removing a stray print statement.
Changed netstats (packet loss) handling to script-land.
Nice idea to pass the old data into a regular scheduled event!
Conflicts:
src/event.bif
- Removed the net_stats_update event.
- Created a net_stats function for building and retrieving the
current network statistics.
- Removed the internal timer for firing the net_stats_update event
along with the global heartbeat_interval variable.
- Updated the netstats script to use the new BiF.
- Updated the stats script to use the new BiF.
