J-Gras
commented
1 year ago How about storing the TCI in the packet structure and leaving the dissection to script-land? This way we wouldn't drop information.
Closed awelzel closed 1 year ago
J-Gras
commented
1 year ago How about storing the TCI in the packet structure and leaving the dissection to script-land? This way we wouldn't drop information.
awelzel
commented
1 year ago That is a great thought. It's striking that the existing VLAN analyzer doesn't extract them and there's no script-side support for dei/pcp or the full tci via get_current_packet_header() available. Possibly just wasn't interesting enough, but might be worth a discussion/historic view on the Zeek side.
Any extensions here would be earliest available with Zeek 6.0 though and we should do the obvious fix for the next 5.2.x maintenance release given this was externally reported (and that is also good for anyone using the external plugin).
awelzel
commented
1 year ago Manual reproducer via veth interface (dummy interface didn't reproduce the issue - possibly related to non existing vlan offloading for dummy).
$ ip link add d0 type veth peer d1
$ ip link add link d1 name d1.29 type vlan id 29 egress-qos-map 0:2
# Up em all, then sniff d0 and replay into d1.29
$ zeek -C -i af_packet::d0 protocols/conn/vlan-logging LogAscii::use_json=T
$ tcpreplay -p 20 -i d1.29 httpbin-json.pcap
$ jq -c < conn.log
{"ts":1682157758.634443,"uid":"CO2AC14POY6u3l4xLd", ..., "vlan":16413}
A user reported observing vlan ids > 4095, the tp_vlan_tci (tag control information) from the kernel contains the full vlan tag including Drop eligible indicator (DEI) and Priority code point (PCP), not just the vlan id:
https://community.zeek.org/t/zeek-reporting-vlan-ids-above-4095-bug-found/7000
Need to mask it with 0xfff.