mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
af5a0215c0
This adds machinery to the packet_analysis manager for disabling and enabling packet analyzers and implements two low-level bifs to use it. Extend Analyzer::enable_analyzer() and Analyzer::disable_analyzer() to transparently work with packet analyzers, too. This also allows to add packet analyzers to Analyzer::disabled_analyzers.
30 lines
914 B
Text
30 lines
914 B
Text
# @TEST-DOC: Use Analyzer::disable_analyzer() and Analyzer::enable_analyzer() to disable the VXLAN packet analyzers at runtime based on total raw packet count.
|
|
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/vxlan.pcap %INPUT > output
|
|
# @TEST-EXEC: btest-diff output
|
|
#
|
|
|
|
global all_packets = 0;
|
|
|
|
event raw_packet(hdr: raw_pkt_hdr)
|
|
{
|
|
++all_packets;
|
|
print "packet", all_packets;
|
|
|
|
if ( all_packets == 4 )
|
|
{
|
|
local er = Analyzer::disable_analyzer(PacketAnalyzer::ANALYZER_VXLAN);
|
|
print "Analyzer::disable_analyzer(PacketAnalyzer::ANALYZER_VXLAN)", er;
|
|
}
|
|
# Packets 5 to 8 don't produce vxlan_packet events.
|
|
|
|
if ( all_packets == 8 )
|
|
{
|
|
local dr = Analyzer::enable_analyzer(PacketAnalyzer::ANALYZER_VXLAN);
|
|
print "Analyzer::enable_analyzer(PacketAnalyzer::ANALYZER_VXLAN)", dr;
|
|
}
|
|
}
|
|
|
|
event vxlan_packet(outer: connection, inner: pkt_hdr, vni: count)
|
|
{
|
|
print "vxlan_packet", outer$uid, "inner", inner$ip;
|
|
}
|