mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 15:48:19 +00:00
30cb62362a
Loading policy/protocols/conntuple/vlan adapts Zeek's flow hashing and the script-layer conn_id record to show VLAN tags when present. I'm using script-layer ints for the VLAN tag representation for consistency with what we alrady do elsewhere, but it seems odd since they can never be negative. I'm currently skipping protocols/conntuple/vlan in test-all-policy since it otherwise affects the external testsuites -- could revisit if people feel it should run on these.
14 lines
530 B
Text
14 lines
530 B
Text
##! This script adapts Zeek's connection tuples to include 802.1Q VLAN and
|
|
##! Q-in-Q tags, when available. Zeek normally ignores VLAN tags in its flow
|
|
##! lookups; this change makes it factor them in and also makes those VLAN tags
|
|
##! part of the conn_id record.
|
|
|
|
redef record conn_id += {
|
|
## The outer VLAN for this connection, if applicable.
|
|
vlan: int &log &optional;
|
|
|
|
## The inner VLAN for this connection, if applicable.
|
|
inner_vlan: int &log &optional;
|
|
};
|
|
|
|
redef ConnTuple::builder = ConnTuple::CONNTUPLE_VLAN;
|