================================
Zeek Packet Forwarding Questions
================================

Hello.

I've developed a "protocol parser" in Zeek, that uses the Zeek "packet_analysis" interface.


Having done that, I have some questions on how to "properly" forward (non-matching) packets on to the next protocol Analyzer/parser.


----------------------------------------------------------------------------
My "main.zeek" script, contains the following lines:


  # For non-matching packets, route these packets to the "default_analyzer."
  # Set the "default_analyzer" to the Zeek IP protocol analyzer.
  # 
  const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;



  # Send all Ethernet frames that contain "IP" packets, to the ANALYZER_PROTO_X protocol analyzer.
  # (The PROTO_X analyzer/parser will parse the IP packet contents. Then if the packet contains a UDP payload, parse the UDP payload.
  #  Finally, pass the UDP payload to the PROTO_X parser, to see if any PROTO_X protocol is present.
  #
  PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET,  0x0800, PacketAnalyzer::ANALYZER_PROTO_X);

  # If the current packet does not contain any PROTO_X protcol, forward it on to the Zeek (core) based IP protocol analyzer. 
  PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PROTO_X,   0x0800, PacketAnalyzer::ANALYZER_IP);

----------------------------------------------------------------------------


My "PROTO_X.cc" plugin source file, contains the following function definition:


bool PROTO_XAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)


  // Near the end of the AnalyzerPacket() function, the following "packet forwarding" call exists:


  // Pass the current IP packet back to the 'zeek core' "Analyzer_IP" analyzer:
  // 0x0800 == IP packet type (in EthernetType field)
  //
  zeek::packet_analysis::Analyzer::ForwardPacket(len, data, packet, 0x0800);  

----------------------------------------------------------------------------


Currently, my analyzer is able to parse PROTO_X traffic from IP packets, that contain the PROTO_X payloads.

IP packets that do not contain PROTO_X traffic (e.g. DNS, HTTP, etc) are also parsed (and logged) correctly.


*** I'm wondering if I've setup the "packet forwarding" corectly for the PROTO_X protocol?


During testing, if I remove the following line from my PROTO_X.cc file, the parser stops working.
   zeek::packet_analysis::Analyzer::ForwardPacket(len, data, packet, 0x0800); 

Also, if I remove the following line from my "main.zeek" script, the parser stops working.
   PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PROTO_X,   0x0800, PacketAnalyzer::ANALYZER_IP);

So, both lines appear needed in my parser.  (I know that other "built-in" Zeek packet_analysis analyzers usually contain
a call to the zeek::packet_analysis::Analyzer::ForwardPacket() method too.)


Thanks for your help.

--Brett