ARP: implement decoder and logger v3

[glongo]

Make sure these boxes are signed before submitting your Pull Request -- thank you.

• I have read the contributing guide lines at
  https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
• I have signed the Open Information Security Foundation contribution agreement at
  https://suricata.io/about/contribution-agreement/ (note: this is only required once)
• I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6827

Describe changes:

• Remove casting to a packet.
• Add changes to the appropriate commit.
• Document the logger and ARP records.

SV_BRANCH=OISF/suricata-verify#1711

[codecov]

Codecov Report

Attention: Patch coverage is 28.12500% with 138 lines in your changes are missing coverage. Please review.

Project coverage is 82.67%. Comparing base (bf5cfd6) to head (02d962c).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10675      +/-   ##
==========================================
- Coverage   82.72%   82.67%   -0.06%     
==========================================
  Files         926      928       +2     
  Lines      247633   247824     +191     
==========================================
+ Hits       204865   204880      +15     
- Misses      42768    42944     +176     

Flag	Coverage Δ
fuzzcorpus	64.00% <7.81%> (-0.22%)	⬇️
suricata-verify	61.89% <27.08%> (-0.09%)	⬇️
unittests	62.14% <3.12%> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[victorjulien]

The record looks a bit odd with the empty src_ip/dest_ip, 0 src_port/dest_port and empty proto.

{
  "timestamp": "2024-03-20T11:38:24.524409+0000",
  "in_iface": "0000:01:00.0",
  "event_type": "arp",
  "src_ip": "",
  "src_port": 0,
  "dest_ip": "",
  "dest_port": 0,
  "proto": "",
  "pkt_src": "wire/pcap",
  "arp": {
    "hw_type": "ethernet",
    "proto_type": "ipv4",
    "opcode": "reply",
    "src_mac": "xx",
    "src_ip": "10.84.1.1",
    "dest_mac": "yy",
    "dest_ip": "10.84.1.14"
  }
}

[glongo]

Makes sense. Let me add a function similar to CreateEveHeaderFromFlow, but for ARP.

[victorjulien]

Makes sense. Let me add a function similar to CreateEveHeaderFromFlow, but for ARP.

Perhaps generic one for non IP/IPv6, so w/o ports, addresses, ipproto

[glongo]

Makes sense. Let me add a function similar to CreateEveHeaderFromFlow, but for ARP.

Perhaps generic one for non IP/IPv6, so w/o ports, addresses, ipproto

Another approach would be to ensure that addresses, ports, and ipproto have valid values.
I think this method is simpler and allows us to avoid some code duplication, please look at the following diff:

diff --git a/src/output-json.c b/src/output-json.c
index b0c1b7405..e61870391 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -838,11 +838,21 @@ JsonBuilder *CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir,
         JsonAddrInfoInit(p, dir, &addr_info);
         addr = &addr_info;
     }
-    jb_set_string(js, "src_ip", addr->src_ip);
-    jb_set_uint(js, "src_port", addr->sp);
-    jb_set_string(js, "dest_ip", addr->dst_ip);
-    jb_set_uint(js, "dest_port", addr->dp);
-    jb_set_string(js, "proto", addr->proto);
+    if (strlen(addr->src_ip) > 0) {
+        jb_set_string(js, "src_ip", addr->src_ip);
+    }
+    if (addr->sp > 0) {
+        jb_set_uint(js, "src_port", addr->sp);
+    }
+    if (strlen(addr->src_ip) > 0) {
+        jb_set_string(js, "dest_ip", addr->dst_ip);
+    }
+    if (addr->dp > 0) {
+        jb_set_uint(js, "dest_port", addr->dp);
+    }
+    if (strlen(addr->proto) > 0) {
+        jb_set_string(js, "proto", addr->proto);
+    }

What do you think?

[glongo]

Replaced with #10692