Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 19:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'topic/jsiwek/ipv6-ext-headers'

Browse source 
* topic/jsiwek/ipv6-ext-headers:
  Cosmetics in preparation for merge.
  Removing remaining comments. Looks fine.
  Refactor script-layer IPv6 ext. header chain (addresses #795)
  Changes to IPv6 ext. header parsing (addresses #795).
  Fix ipv6_ext_headers event and add routing0_data_to_addrs BIF.
  Remove the default "tcp or udp or icmp" filter.
  Merge remote-tracking branch 'origin/topic/jsiwek/ipv6-ext-headers'
  Add unit test for IPv6 fragment reassembly.
  Update PacketFilter/Discarder code for IP version independence.
  Add a few comments to IP.h
  Fix some IPv6 header related bugs.
  Add IPv6 fragment reassembly.
  Add handling for IPv6 extension header chains (addresses #531)

Closes #795.
This commit is contained in:
Robin Sommer 2012-03-23 17:38:27 -07:00
commit 02d8c52e6f
36 changed files with 1481 additions and 416 deletions
Download patch file Download diff file Expand all files Collapse all files

2
aux/broccoli

@ -1 +1 @@
Subproject commit 0128c72cbdf29925dd146842a9077c631d2cc85c
Subproject commit 612e95ac62a06b32b2e9e627f30527012a89a12c

428
scripts/base/init-bare.bro
View file

@ -303,10 +303,10 @@ type gap_info: record {
gap_bytes: count; ##< How many bytes were missing in the gaps.
};
## Deprecated.
##
## Deprecated.
##
## .. todo:: Remove. It's still declared internally but doesn't seem used anywhere
## else.
## else.
type packet: record {
conn: connection;
is_orig: bool;
@ -939,12 +939,162 @@ const IPPROTO_IGMP = 2; ##< Group management protocol.
const IPPROTO_IPIP = 4; ##< IP encapsulation in IP.
const IPPROTO_TCP = 6; ##< TCP.
const IPPROTO_UDP = 17; ##< User datagram protocol.
const IPPROTO_IPV6 = 41; ##< IPv6 header.
const IPPROTO_RAW = 255; ##< Raw IP packet.
## Values extracted from an IP header.
# Definitions for IPv6 extension headers.
const IPPROTO_HOPOPTS = 0; ##< IPv6 hop-by-hop-options header.
const IPPROTO_ROUTING = 43; ##< IPv6 routing header.
const IPPROTO_FRAGMENT = 44; ##< IPv6 fragment header.
const IPPROTO_ESP = 50; ##< IPv6 encapsulating security payload header.
const IPPROTO_AH = 51; ##< IPv6 authentication header.
const IPPROTO_NONE = 59; ##< IPv6 no next header.
const IPPROTO_DSTOPTS = 60; ##< IPv6 destination options header.
## Values extracted from an IPv6 extension header's (e.g. hop-by-hop or
## destination option headers) option field.
##
## .. bro:see:: pkt_hdr discarder_check_ip
type ip_hdr: record {
## .. bro:see:: ip6_hdr ip6_hdr_chain ip6_hopopts ip6_dstopts
type ip6_option: record {
otype: count; ##< Option type.
len: count; ##< Option data length.
data: string; ##< Option data.
};
## Values extracted from an IPv6 Hop-by-Hop options extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain ip6_option
type ip6_hopopts: record {
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
## number), e.g. :bro:id:`IPPROTO_ICMP`.
nxt: count;
## Length of header in 8-octet units, excluding first unit.
len: count;
## The TLV encoded options;
options: vector of ip6_option;
};
## Values extracted from an IPv6 Destination options extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain ip6_option
type ip6_dstopts: record {
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
## number), e.g. :bro:id:`IPPROTO_ICMP`.
nxt: count;
## Length of header in 8-octet units, excluding first unit.
len: count;
## The TLV encoded options;
options: vector of ip6_option;
};
## Values extracted from an IPv6 Routing extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain
type ip6_routing: record {
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
## number), e.g. :bro:id:`IPPROTO_ICMP`.
nxt: count;
## Length of header in 8-octet units, excluding first unit.
len: count;
## Routing type.
rtype: count;
## Segments left.
segleft: count;
## Type-specific data.
data: string;
};
## Values extracted from an IPv6 Fragment extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain
type ip6_fragment: record {
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
## number), e.g. :bro:id:`IPPROTO_ICMP`.
nxt: count;
## 8-bit reserved field.
rsv1: count;
## Fragmentation offset.
offset: count;
## 2-bit reserved field.
rsv2: count;
## More fragments.
more: bool;
## Fragment identification.
id: count;
};
## Values extracted from an IPv6 Authentication extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain
type ip6_ah: record {
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
## number), e.g. :bro:id:`IPPROTO_ICMP`.
nxt: count;
## Length of header in 4-octet units, excluding first two units.
len: count;
## Reserved field.
rsv: count;
## Security Parameter Index.
spi: count;
## Sequence number.
seq: count;
## Authentication data.
data: string;
};
## Values extracted from an IPv6 ESP extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain
type ip6_esp: record {
## Security Parameters Index.
spi: count;
## Sequence number.
seq: count;
};
## A general container for a more specific IPv6 extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hopopts ip6_dstopts ip6_routing ip6_fragment
## ip6_ah ip6_esp
type ip6_ext_hdr: record {
## The RFC 1700 et seq. IANA assigned number identifying the type of
## the extension header.
id: count;
## Hop-by-hop option extension header.
hopopts: ip6_hopopts &optional;
## Destination option extension header.
dstopts: ip6_dstopts &optional;
## Routing extension header.
routing: ip6_routing &optional;
## Fragment header.
fragment: ip6_fragment &optional;
## Authentication extension header.
ah: ip6_ah &optional;
## Encapsulating security payload header.
esp: ip6_esp &optional;
};
## Values extracted from an IPv6 header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr_chain ip6_hopopts ip6_dstopts
## ip6_routing ip6_fragment ip6_ah ip6_esp
type ip6_hdr: record {
class: count; ##< Traffic class.
flow: count; ##< Flow label.
len: count; ##< Payload length.
nxt: count; ##< Protocol number of the next header
##< (RFC 1700 et seq., IANA assigned number)
##< e.g. :bro:id:`IPPROTO_ICMP`.
hlim: count; ##< Hop limit.
src: addr; ##< Source address.
dst: addr; ##< Destination address.
exts: vector of ip6_ext_hdr; ##< Extension header chain.
};
## Values extracted from an IPv4 header.
##
## .. bro:see:: pkt_hdr ip6_hdr discarder_check_ip
type ip4_hdr: record {
hl: count; ##< Header length in bytes.
tos: count; ##< Type of service.
len: count; ##< Total length.
@ -1000,10 +1150,11 @@ type icmp_hdr: record {
##
## .. bro:see:: new_packet
type pkt_hdr: record {
ip: ip_hdr; ##< The IP header.
tcp: tcp_hdr &optional; ##< The TCP header if a TCP packet.
udp: udp_hdr &optional; ##< The UDP header if a UDP packet.
icmp: icmp_hdr &optional; ##< The ICMP header if an ICMP packet.
ip: ip4_hdr &optional; ##< The IPv4 header if an IPv4 packet.
ip6: ip6_hdr &optional; ##< The IPv6 header if an IPv6 packet.
tcp: tcp_hdr &optional; ##< The TCP header if a TCP packet.
udp: udp_hdr &optional; ##< The UDP header if a UDP packet.
icmp: icmp_hdr &optional; ##< The ICMP header if an ICMP packet.
};
## Definition of "secondary filters". A secondary filter is a BPF filter given as
@ -1023,7 +1174,7 @@ global discarder_maxlen = 128 &redef;
## analysis. If the function signals to discard a packet, no further processing
## will be performed on it.
##
## i: The IP header of the considered packet.
## p: The IP header of the considered packet.
##
## Returns: True if the packet should not be analyzed any further.
##
@ -1032,15 +1183,15 @@ global discarder_maxlen = 128 &redef;
##
## .. note:: This is very low-level functionality and potentially expensive.
## Avoid using it.
global discarder_check_ip: function(i: ip_hdr): bool;
global discarder_check_ip: function(p: pkt_hdr): bool;
## Function for skipping packets based on their TCP header. If defined, this
## function will be called for all TCP packets before Bro performs any further
## analysis. If the function signals to discard a packet, no further processing
## will be performed on it.
##
## i: The IP header of the considered packet.
## t: The TCP header.
## p: The IP and TCP headers of the considered packet.
##
## d: Up to :bro:see:`discarder_maxlen` bytes of the TCP payload.
##
## Returns: True if the packet should not be analyzed any further.
@ -1050,15 +1201,15 @@ global discarder_check_ip: function(i: ip_hdr): bool;
##
## .. note:: This is very low-level functionality and potentially expensive.
## Avoid using it.
global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool;
global discarder_check_tcp: function(p: pkt_hdr, d: string): bool;
## Function for skipping packets based on their UDP header. If defined, this
## function will be called for all UDP packets before Bro performs any further
## analysis. If the function signals to discard a packet, no further processing
## will be performed on it.
##
## i: The IP header of the considered packet.
## t: The UDP header.
## p: The IP and UDP headers of the considered packet.
##
## d: Up to :bro:see:`discarder_maxlen` bytes of the UDP payload.
##
## Returns: True if the packet should not be analyzed any further.
@ -1068,15 +1219,14 @@ global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool;
##
## .. note:: This is very low-level functionality and potentially expensive.
## Avoid using it.
global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
global discarder_check_udp: function(p: pkt_hdr, d: string): bool;
## Function for skipping packets based on their ICMP header. If defined, this
## function will be called for all ICMP packets before Bro performs any further
## analysis. If the function signals to discard a packet, no further processing
## will be performed on it.
##
## i: The IP header of the considered packet.
## ih: The ICMP header.
## p: The IP and ICMP headers of the considered packet.
##
## Returns: True if the packet should not be analyzed any further.
##
@ -1085,7 +1235,7 @@ global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
##
## .. note:: This is very low-level functionality and potentially expensive.
## Avoid using it.
global discarder_check_icmp: function(i: ip_hdr, ih: icmp_hdr): bool;
global discarder_check_icmp: function(p: pkt_hdr): bool;
## Bro's watchdog interval.
const watchdog_interval = 10 sec &redef;
@ -1316,7 +1466,7 @@ export {
## NFS file attributes. Field names are based on RFC 1813.
##
## .. bro:see:: nfs_proc_getattr
## .. bro:see:: nfs_proc_getattr
type fattr_t: record {
ftype: file_type_t; ##< File type.
mode: count; ##< Mode
@ -1335,8 +1485,8 @@ export {
};
## NFS *readdir* arguments.
##
## .. bro:see:: nfs_proc_readdir
##
## .. bro:see:: nfs_proc_readdir
type diropargs_t : record {
dirfh: string; ##< The file handle of the directory.
fname: string; ##< The name of the file we are interested in.
@ -1345,7 +1495,7 @@ export {
## NFS lookup reply. If the lookup failed, *dir_attr* may be set. If the lookup
## succeeded, *fh* is always set and *obj_attr* and *dir_attr* may be set.
##
## .. bro:see:: nfs_proc_lookup
## .. bro:see:: nfs_proc_lookup
type lookup_reply_t: record {
fh: string &optional; ##< File handle of object looked up.
obj_attr: fattr_t &optional; ##< Optional attributes associated w/ file
@ -1362,7 +1512,7 @@ export {
};
## NFS *read* reply. If the lookup fails, *attr* may be set. If the lookup succeeds,
## *attr* may be set and all other fields are set.
## *attr* may be set and all other fields are set.
type read_reply_t: record {
attr: fattr_t &optional; ##< Attributes.
size: count &optional; ##< Number of bytes read.
@ -1371,7 +1521,7 @@ export {
};
## NFS *readline* reply. If the request fails, *attr* may be set. If the request
## succeeds, *attr* may be set and all other fields are set.
## succeeds, *attr* may be set and all other fields are set.
##
## .. bro:see:: nfs_proc_readlink
type readlink_reply_t: record {
@ -1381,7 +1531,7 @@ export {
## NFS *write* arguments.
##
## .. bro:see:: nfs_proc_write
## .. bro:see:: nfs_proc_write
type writeargs_t: record {
fh: string; ##< File handle to write to.
offset: count; ##< Offset in file.
@ -1391,18 +1541,18 @@ export {
};
## NFS *wcc* attributes.
##
##
## .. bro:see:: NFS3::write_reply_t
type wcc_attr_t: record {
size: count; ##< The dize.
size: count; ##< The dize.
atime: time; ##< Access time.
mtime: time; ##< Modification time.
};
## NFS *write* reply. If the request fails, *pre|post* attr may be set. If the
## request succeeds, *pre|post* attr may be set and all other fields are set.
## request succeeds, *pre|post* attr may be set and all other fields are set.
##
## .. bro:see:: nfs_proc_write
## .. bro:see:: nfs_proc_write
type write_reply_t: record {
preattr: wcc_attr_t &optional; ##< Pre operation attributes.
postattr: fattr_t &optional; ##< Post operation attributes.
@ -1413,9 +1563,9 @@ export {
## NFS reply for *create*, *mkdir*, and *symlink*. If the proc
## failed, *dir_\*_attr* may be set. If the proc succeeded, *fh* and the *attr*'s
## may be set. Note: no guarantee that *fh* is set after success.
## may be set. Note: no guarantee that *fh* is set after success.
##
## .. bro:see:: nfs_proc_create nfs_proc_mkdir
## .. bro:see:: nfs_proc_create nfs_proc_mkdir
type newobj_reply_t: record {
fh: string &optional; ##< File handle of object created.
obj_attr: fattr_t &optional; ##< Optional attributes associated w/ new object.
@ -1423,17 +1573,17 @@ export {
dir_post_attr: fattr_t &optional; ##< Optional attributes associated w/ dir.
};
## NFS reply for *remove*, *rmdir*. Corresponds to *wcc_data* in the spec.
## NFS reply for *remove*, *rmdir*. Corresponds to *wcc_data* in the spec.
##
## .. bro:see:: nfs_proc_remove nfs_proc_rmdir
## .. bro:see:: nfs_proc_remove nfs_proc_rmdir
type delobj_reply_t: record {
dir_pre_attr: wcc_attr_t &optional; ##< Optional attributes associated w/ dir.
dir_post_attr: fattr_t &optional; ##< Optional attributes associated w/ dir.
};
## NFS *readdir* arguments. Used for both *readdir* and *readdirplus*.
##
## .. bro:see:: nfs_proc_readdir
##
## .. bro:see:: nfs_proc_readdir
type readdirargs_t: record {
isplus: bool; ##< Is this a readdirplus request?
dirfh: string; ##< The directory filehandle.
@ -1446,7 +1596,7 @@ export {
## NFS *direntry*. *fh* and *attr* are used for *readdirplus*. However, even
## for *readdirplus* they may not be filled out.
##
## .. bro:see:: NFS3::direntry_vec_t NFS3::readdir_reply_t
## .. bro:see:: NFS3::direntry_vec_t NFS3::readdir_reply_t
type direntry_t: record {
fileid: count; ##< E.g., inode number.
fname: string; ##< Filename.
@ -1457,7 +1607,7 @@ export {
## Vector of NFS *direntry*.
##
## .. bro:see:: NFS3::readdir_reply_t
## .. bro:see:: NFS3::readdir_reply_t
type direntry_vec_t: vector of direntry_t;
## NFS *readdir* reply. Used for *readdir* and *readdirplus*. If an is
@ -1488,7 +1638,7 @@ module GLOBAL;
## An NTP message.
##
## .. bro:see:: ntp_message
## .. bro:see:: ntp_message
type ntp_msg: record {
id: count; ##< Message ID.
code: count; ##< Message code.
@ -1510,7 +1660,7 @@ global samba_cmds: table[count] of string &redef
{ return fmt("samba-unknown-%d", c); };
## An SMB command header.
##
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
@ -1529,9 +1679,9 @@ type smb_hdr : record {
};
## An SMB transaction.
##
##
## .. bro:see:: smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
## smb_com_transaction smb_com_transaction2
## smb_com_transaction smb_com_transaction2
type smb_trans : record {
word_count: count; ##< TODO.
total_param_count: count; ##< TODO.
@ -1545,7 +1695,7 @@ type smb_trans : record {
param_offset: count; ##< TODO.
data_count: count; ##< TODO.
data_offset: count; ##< TODO.
setup_count: count; ##< TODO.
setup_count: count; ##< TODO.
setup0: count; ##< TODO.
setup1: count; ##< TODO.
setup2: count; ##< TODO.
@ -1556,19 +1706,19 @@ type smb_trans : record {
## SMB transaction data.
##
##
## .. bro:see:: smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
## smb_com_transaction smb_com_transaction2
##
## smb_com_transaction smb_com_transaction2
##
## .. todo:: Should this really be a record type?
type smb_trans_data : record {
data : string; ##< The transaction's data.
};
## Deprecated.
##
## Deprecated.
##
## .. todo:: Remove. It's still declared internally but doesn't seem used anywhere
## else.
## else.
type smb_tree_connect : record {
flags: count;
password: string;
@ -1576,21 +1726,21 @@ type smb_tree_connect : record {
service: string;
};
## Deprecated.
##
## Deprecated.
##
## .. todo:: Remove. It's still declared internally but doesn't seem used anywhere
## else.
## else.
type smb_negotiate : table[count] of string;
## A list of router addresses offered by a DHCP server.
##
## .. bro:see:: dhcp_ack dhcp_offer
## .. bro:see:: dhcp_ack dhcp_offer
type dhcp_router_list: table[count] of addr;
## A DHCP message.
##
## .. bro:see:: dhcp_ack dhcp_decline dhcp_discover dhcp_inform dhcp_nak
## dhcp_offer dhcp_release dhcp_request
## dhcp_offer dhcp_release dhcp_request
type dhcp_msg: record {
op: count; ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
m_type: count; ##< The type of DHCP message.
@ -1627,7 +1777,7 @@ type dns_msg: record {
## A DNS SOA record.
##
## .. bro:see:: dns_SOA_reply
## .. bro:see:: dns_SOA_reply
type dns_soa: record {
mname: string; ##< Primary source of data for zone.
rname: string; ##< Mailbox for responsible person.
@ -1640,7 +1790,7 @@ type dns_soa: record {
## An additional DNS EDNS record.
##
## .. bro:see:: dns_EDNS_addl
## .. bro:see:: dns_EDNS_addl
type dns_edns_additional: record {
query: string; ##< Query.
qtype: count; ##< Query type.
@ -1655,7 +1805,7 @@ type dns_edns_additional: record {
## An additional DNS TSIG record.
##
## bro:see:: dns_TSIG_addl
## bro:see:: dns_TSIG_addl
type dns_tsig_additional: record {
query: string; ##< Query.
qtype: count; ##< Query type.
@ -1669,9 +1819,9 @@ type dns_tsig_additional: record {
};
# DNS answer types.
#
#
# .. .. bro:see:: dns_answerr
#
#
# todo::use enum to make them autodoc'able
const DNS_QUERY = 0; ##< A query. This shouldn't occur, just for completeness.
const DNS_ANS = 1; ##< An answer record.
@ -1685,7 +1835,7 @@ const DNS_ADDL = 3; ##< An additional record.
## dns_TXT_reply dns_WKS_reply
type dns_answer: record {
## Answer type. One of :bro:see:`DNS_QUERY`, :bro:see:`DNS_ANS`,
## :bro:see:`DNS_AUTH` and :bro:see:`DNS_ADDL`.
## :bro:see:`DNS_AUTH` and :bro:see:`DNS_ADDL`.
answer_type: count;
query: string; ##< Query.
qtype: count; ##< Query type.
@ -1705,27 +1855,27 @@ global dns_skip_auth: set[addr] &redef;
## .. bro:see:: dns_skip_all_addl dns_skip_auth
global dns_skip_addl: set[addr] &redef;
## If true, all DNS AUTH records are skipped.
## If true, all DNS AUTH records are skipped.
##
## .. bro:see:: dns_skip_all_addl dns_skip_auth
global dns_skip_all_auth = T &redef;
## If true, all DNS ADDL records are skipped.
## If true, all DNS ADDL records are skipped.
##
## .. bro:see:: dns_skip_all_auth dns_skip_addl
global dns_skip_all_addl = T &redef;
## If a DNS request includes more than this many queries, assume it's non-DNS
## traffic and do not process it. Set to 0 to turn off this functionality.
## traffic and do not process it. Set to 0 to turn off this functionality.
global dns_max_queries = 5;
## An X509 certificate.
##
## .. bro:see:: x509_certificate
## .. bro:see:: x509_certificate
type X509: record {
version: count; ##< Version number.
serial: string; ##< Serial number.
subject: string; ##< Subject.
subject: string; ##< Subject.
issuer: string; ##< Issuer.
not_valid_before: time; ##< Timestamp before when certificate is not valid.
not_valid_after: time; ##< Timestamp after when certificate is not valid.
@ -1733,7 +1883,7 @@ type X509: record {
## HTTP session statistics.
##
## .. bro:see:: http_stats
## .. bro:see:: http_stats
type http_stats_rec: record {
num_requests: count; ##< Number of requests.
num_replies: count; ##< Number of replies.
@ -1743,7 +1893,7 @@ type http_stats_rec: record {
## HTTP message statistics.
##
## .. bro:see:: http_message_done
## .. bro:see:: http_message_done
type http_message_stat: record {
## When the request/reply line was complete.
start: time;
@ -1760,26 +1910,26 @@ type http_message_stat: record {
};
## Maximum number of HTTP entity data delivered to events. The amount of data
## can be limited for better performance, zero disables truncation.
##
## can be limited for better performance, zero disables truncation.
##
## .. bro:see:: http_entity_data skip_http_entity_data skip_http_data
global http_entity_data_delivery_size = 1500 &redef;
## Skip HTTP data for performance considerations. The skipped
## portion will not go through TCP reassembly.
##
## portion will not go through TCP reassembly.
##
## .. bro:see:: http_entity_data skip_http_entity_data http_entity_data_delivery_size
const skip_http_data = F &redef;
## Maximum length of HTTP URIs passed to events. Longer ones will be truncated
## to prevent over-long URIs (usually sent by worms) from slowing down event
## processing. A value of -1 means "do not truncate".
##
##
## .. bro:see:: http_request
const truncate_http_URI = -1 &redef;
## IRC join information.
##
## IRC join information.
##
## .. bro:see:: irc_join_list
type irc_join_info: record {
nick: string;
@ -1790,13 +1940,13 @@ type irc_join_info: record {
## Set of IRC join information.
##
## .. bro:see:: irc_join_message
## .. bro:see:: irc_join_message
type irc_join_list: set[irc_join_info];
## Deprecated.
##
## Deprecated.
##
## .. todo:: Remove. It's still declared internally but doesn't seem used anywhere
## else.
## else.
global irc_servers : set[addr] &redef;
## Internal to the stepping stone detector.
@ -1860,7 +2010,7 @@ type backdoor_endp_stats: record {
## Description of a signature match.
##
## .. bro:see:: signature_match
## .. bro:see:: signature_match
type signature_state: record {
sig_id: string; ##< ID of the matching signature.
conn: connection; ##< Matching connection.
@ -1868,10 +2018,10 @@ type signature_state: record {
payload_size: count; ##< Payload size of the first matching packet of current endpoint.
};
# Deprecated.
#
# Deprecated.
#
# .. todo:: This type is no longer used. Remove any reference of this from the
# core.
# core.
type software_version: record {
major: int;
minor: int;
@ -1879,10 +2029,10 @@ type software_version: record {
addl: string;
};
# Deprecated.
#
# Deprecated.
#
# .. todo:: This type is no longer used. Remove any reference of this from the
# core.
# core.
type software: record {
name: string;
version: software_version;
@ -1899,7 +2049,7 @@ type OS_version_inference: enum {
## Passive fingerprinting match.
##
## .. bro:see:: OS_version_found
## .. bro:see:: OS_version_found
type OS_version: record {
genre: string; ##< Linux, Windows, AIX, ...
detail: string; ##< Lernel version or such.
@ -1909,20 +2059,20 @@ type OS_version: record {
## Defines for which subnets we should do passive fingerprinting.
##
## .. bro:see:: OS_version_found
## .. bro:see:: OS_version_found
global generate_OS_version_event: set[subnet] &redef;
# Type used to report load samples via :bro:see:`load_sample`. For now, it's a
# set of names (event names, source file names, and perhaps ``<source file, line
# number>``, which were seen during the sample.
# number>``, which were seen during the sample.
type load_sample_info: set[string];
## ID for NetFlow header. This is primarily a means to sort together NetFlow
## headers and flow records at the script level.
## headers and flow records at the script level.
type nfheader_id: record {
## Name of the NetFlow file (e.g., ``netflow.dat``) or the receiving socket address
## (e.g., ``127.0.0.1:5555``), or an explicit name if specified to
## ``-y`` or ``-Y``.
## ``-y`` or ``-Y``.
rcvr_id: string;
## A serial number, ignoring any overflows.
pdu_id: count;
@ -1930,7 +2080,7 @@ type nfheader_id: record {
## A NetFlow v5 header.
##
## .. bro:see:: netflow_v5_header
## .. bro:see:: netflow_v5_header
type nf_v5_header: record {
h_id: nfheader_id; ##< ID for sorting.
cnt: count; ##< TODO.
@ -1946,7 +2096,7 @@ type nf_v5_header: record {
## A NetFlow v5 record.
##
## .. bro:see:: netflow_v5_record
type nf_v5_record: record {
type nf_v5_record: record {
h_id: nfheader_id; ##< ID for sorting.
id: conn_id; ##< Connection ID.
nexthop: addr; ##< Address of next hop.
@ -1980,7 +2130,7 @@ type bittorrent_peer: record {
};
## A set of BitTorrent peers.
##
##
## .. bro:see:: bt_tracker_response
type bittorrent_peer_set: set[bittorrent_peer];
@ -2003,12 +2153,12 @@ type bittorrent_benc_dir: table[string] of bittorrent_benc_value;
## Header table type used by BitTorrent analyzer.
##
## .. bro:see:: bt_tracker_request bt_tracker_response
## bt_tracker_response_not_ok
## bt_tracker_response_not_ok
type bt_tracker_headers: table[string] of string;
@load base/event.bif
## BPF filter the user has set via the -f command line options. Empty if none.
## BPF filter the user has set via the -f command line options. Empty if none.
const cmd_line_bpf_filter = "" &redef;
## Deprecated.
@ -2026,24 +2176,24 @@ const log_encryption_key = "<undefined>" &redef;
## Write profiling info into this file in regular intervals. The easiest way to
## activate profiling is loading :doc:`/scripts/policy/misc/profiling`.
##
## .. bro:see:: profiling_interval expensive_profiling_multiple segment_profiling
## .. bro:see:: profiling_interval expensive_profiling_multiple segment_profiling
global profiling_file: file &redef;
## Update interval for profiling (0 disables). The easiest way to activate
## profiling is loading :doc:`/scripts/policy/misc/profiling`.
##
## .. bro:see:: profiling_file expensive_profiling_multiple segment_profiling
## .. bro:see:: profiling_file expensive_profiling_multiple segment_profiling
const profiling_interval = 0 secs &redef;
## Multiples of profiling_interval at which (more expensive) memory profiling is
## done (0 disables).
##
## .. bro:see:: profiling_interval profiling_file segment_profiling
## .. bro:see:: profiling_interval profiling_file segment_profiling
const expensive_profiling_multiple = 0 &redef;
## If true, then write segment profiling information (very high volume!)
## in addition to profiling statistics.
##
##
## .. bro:see:: profiling_interval expensive_profiling_multiple profiling_file
const segment_profiling = F &redef;
@ -2082,42 +2232,42 @@ global load_sample_freq = 20 &redef;
## Rate at which to generate :bro:see:`gap_report` events assessing to what degree
## the measurement process appears to exhibit loss.
##
##
## .. bro:see:: gap_report
const gap_report_freq = 1.0 sec &redef;
## Whether we want :bro:see:`content_gap` and :bro:see:`gap_report` for partial
## connections. A connection is partial if it is missing a full handshake. Note
## that gap reports for partial connections might not be reliable.
##
##
## .. bro:see:: content_gap gap_report partial_connection
const report_gaps_for_partial = F &redef;
## The CA certificate file to authorize remote Bros/Broccolis.
##
##
## .. bro:see:: ssl_private_key ssl_passphrase
const ssl_ca_certificate = "<undefined>" &redef;
## File containing our private key and our certificate.
##
##
## .. bro:see:: ssl_ca_certificate ssl_passphrase
const ssl_private_key = "<undefined>" &redef;
## The passphrase for our private key. Keeping this undefined
## causes Bro to prompt for the passphrase.
##
##
## .. bro:see:: ssl_private_key ssl_ca_certificate
const ssl_passphrase = "<undefined>" &redef;
## Default mode for Bro's user-space dynamic packet filter. If true, packets that
## aren't explicitly allowed through, are dropped from any further processing.
##
## aren't explicitly allowed through, are dropped from any further processing.
##
## .. note:: This is not the BPF packet filter but an additional dynamic filter
## that Bro optionally applies just before normal processing starts.
##
## .. bro:see:: install_dst_addr_filter install_dst_net_filter
## that Bro optionally applies just before normal processing starts.
##
## .. bro:see:: install_dst_addr_filter install_dst_net_filter
## install_src_addr_filter install_src_net_filter uninstall_dst_addr_filter
## uninstall_dst_net_filter uninstall_src_addr_filter uninstall_src_net_filter
## uninstall_dst_net_filter uninstall_src_addr_filter uninstall_src_net_filter
const packet_filter_default = F &redef;
## Maximum size of regular expression groups for signature matching.
@ -2129,17 +2279,17 @@ const enable_syslog = F &redef;
## Description transmitted to remote communication peers for identification.
const peer_description = "bro" &redef;
## If true, broadcast events received from one peer to all other peers.
##
## If true, broadcast events received from one peer to all other peers.
##
## .. bro:see:: forward_remote_state_changes
##
## .. note:: This option is only temporary and will disappear once we get a more
## sophisticated script-level communication framework.
const forward_remote_events = F &redef;
## If true, broadcast state updates received from one peer to all other peers.
##
## .. bro:see:: forward_remote_events
## If true, broadcast state updates received from one peer to all other peers.
##
## .. bro:see:: forward_remote_events
##
## .. note:: This option is only temporary and will disappear once we get a more
## sophisticated script-level communication framework.
@ -2168,23 +2318,23 @@ const REMOTE_SRC_PARENT = 2; ##< Message from the parent process.
const REMOTE_SRC_SCRIPT = 3; ##< Message from a policy script.
## Synchronize trace processing at a regular basis in pseudo-realtime mode.
##
##
## .. bro:see:: remote_trace_sync_peers
const remote_trace_sync_interval = 0 secs &redef;
## Number of peers across which to synchronize trace processing in
## pseudo-realtime mode.
##
## pseudo-realtime mode.
##
## .. bro:see:: remote_trace_sync_interval
const remote_trace_sync_peers = 0 &redef;
## Whether for :bro:attr:`&synchronized` state to send the old value as a
## consistency check.
## consistency check.
const remote_check_sync_consistency = F &redef;
## Analyzer tags. The core automatically defines constants
## ``ANALYZER_<analyzer-name>*``, e.g., ``ANALYZER_HTTP``.
##
##
## .. bro:see:: dpd_config
##
## .. todo::We should autodoc these automaticallty generated constants.
@ -2202,7 +2352,7 @@ type dpd_protocol_config: record {
## This table defines the ports.
##
## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
## dpd_match_only_beginning dpd_ignore_ports
## dpd_match_only_beginning dpd_ignore_ports
const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef;
## Reassemble the beginning of all TCP connections before doing
@ -2210,10 +2360,10 @@ const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef;
## expensive of CPU cycles.
##
## .. bro:see:: dpd_config dpd_buffer_size
## dpd_match_only_beginning dpd_ignore_ports
##
## dpd_match_only_beginning dpd_ignore_ports
##
## .. note:: Despite the name, this option affects *all* signature matching, not
## only signatures used for dynamic protocol detection.
## only signatures used for dynamic protocol detection.
const dpd_reassemble_first_packets = T &redef;
## Size of per-connection buffer used for dynamic protocol detection. For each
@ -2222,23 +2372,23 @@ const dpd_reassemble_first_packets = T &redef;
## already passed through (i.e., when a DPD signature matches only later).
## However, once the buffer is full, data is deleted and lost to analyzers that are
## activated afterwards. Then only analyzers that can deal with partial
## connections will be able to analyze the session.
## connections will be able to analyze the session.
##
## .. bro:see:: dpd_reassemble_first_packets dpd_config dpd_match_only_beginning
## dpd_ignore_ports
## dpd_ignore_ports
const dpd_buffer_size = 1024 &redef;
## If true, stops signature matching if dpd_buffer_size has been reached.
##
## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
## dpd_config dpd_ignore_ports
##
## dpd_config dpd_ignore_ports
##
## .. note:: Despite the name, this option affects *all* signature matching, not
## only signatures used for dynamic protocol detection.
## only signatures used for dynamic protocol detection.
const dpd_match_only_beginning = T &redef;
## If true, don't consider any ports for deciding which protocol analyzer to
## use. If so, the value of :bro:see:`dpd_config` is ignored.
## use. If so, the value of :bro:see:`dpd_config` is ignored.
##
## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
## dpd_match_only_beginning dpd_config
@ -2246,14 +2396,14 @@ const dpd_ignore_ports = F &redef;
## Ports which the core considers being likely used by servers. For ports in
## this set, is may heuristically decide to flip the direction of the
## connection if it misses the initial handshake.
## connection if it misses the initial handshake.
const likely_server_ports: set[port] &redef;
## Deprated. Set of all ports for which we know an analyzer, built by
## :doc:`/scripts/base/frameworks/dpd/main`.
## :doc:`/scripts/base/frameworks/dpd/main`.
##
## .. todo::This should be defined by :doc:`/scripts/base/frameworks/dpd/main`
## itself we still need it.
## itself we still need it.
global dpd_analyzer_ports: table[port] of set[AnalyzerTag];
## Per-incident timer managers are drained after this amount of inactivity.
@ -2266,7 +2416,7 @@ const time_machine_profiling = F &redef;
const check_for_unused_event_handlers = F &redef;
# If true, dumps all invoked event handlers at startup.
# todo::Still used?
# todo::Still used?
# const dump_used_event_handlers = F &redef;
## Deprecated.
@ -2282,7 +2432,7 @@ const trace_output_file = "";
## of setting this to true is that we can write the packets out before we actually
## process them, which can be helpful for debugging in case the analysis triggers a
## crash.
##
##
## .. bro:see:: trace_output_file
const record_all_packets = F &redef;
@ -2295,7 +2445,7 @@ const record_all_packets = F &redef;
const ignore_keep_alive_rexmit = F &redef;
## Whether the analysis engine parses IP packets encapsulated in
## UDP tunnels.
## UDP tunnels.
##
## .. bro:see:: tunnel_port
const parse_udp_tunnels = F &redef;
@ -2303,6 +2453,6 @@ const parse_udp_tunnels = F &redef;
## Number of bytes per packet to capture from live interfaces.
const snaplen = 8192 &redef;
# Load the logging framework here because it uses fairly deep integration with
# Load the logging framework here because it uses fairly deep integration with
# BiFs and script-land defined types.
@load base/frameworks/logging

1
src/CMakeLists.txt
View file

@ -330,6 +330,7 @@ set(bro_SRCS
IntSet.cc
InterConn.cc
IOSource.cc
IP.cc
IPAddr.cc
IRC.cc
List.cc

83
src/Discard.cc
View file

@ -10,11 +10,6 @@
Discarder::Discarder()
{
ip_hdr = internal_type("ip_hdr")->AsRecordType();
tcp_hdr = internal_type("tcp_hdr")->AsRecordType();
udp_hdr = internal_type("udp_hdr")->AsRecordType();
icmp_hdr = internal_type("icmp_hdr")->AsRecordType();
check_ip = internal_func("discarder_check_ip");
check_tcp = internal_func("discarder_check_tcp");
check_udp = internal_func("discarder_check_udp");
@ -36,12 +31,10 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
{
int discard_packet = 0;
const struct ip* ip4 = ip->IP4_Hdr();
if ( check_ip )
{
val_list* args = new val_list;
args->append(BuildHeader(ip4));
args->append(ip->BuildPktHdrVal());
try
{
@ -59,19 +52,18 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
return discard_packet;
}
int proto = ip4->ip_p;
int proto = ip->NextProto();
if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP &&
proto != IPPROTO_ICMP )
// This is not a protocol we understand.
return 0;
// XXX shall we only check the first packet???
uint32 frag_field = ntohs(ip4->ip_off);
if ( (frag_field & 0x3fff) != 0 )
if ( ip->IsFragment() )
// Never check any fragment.
return 0;
int ip_hdr_len = ip4->ip_hl * 4;
int ip_hdr_len = ip->HdrLen();
len -= ip_hdr_len; // remove IP header
caplen -= ip_hdr_len;
@ -87,7 +79,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
// Where the data starts - if this is a protocol we know about,
// this gets advanced past the transport header.
const u_char* data = ((u_char*) ip4 + ip_hdr_len);
const u_char* data = ip->Payload();
if ( is_tcp )
{
@ -97,8 +89,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
int th_len = tp->th_off * 4;
val_list* args = new val_list;
args->append(BuildHeader(ip4));
args->append(BuildHeader(tp, len));
args->append(ip->BuildPktHdrVal());
args->append(BuildData(data, th_len, len, caplen));
try
@ -123,8 +114,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
int uh_len = sizeof (struct udphdr);
val_list* args = new val_list;
args->append(BuildHeader(ip4));
args->append(BuildHeader(up));
args->append(ip->BuildPktHdrVal());
args->append(BuildData(data, uh_len, len, caplen));
try
@ -148,8 +138,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
const struct icmp* ih = (const struct icmp*) data;
val_list* args = new val_list;
args->append(BuildHeader(ip4));
args->append(BuildHeader(ih));
args->append(ip->BuildPktHdrVal());
try
{
@ -168,62 +157,6 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
return discard_packet;
}
Val* Discarder::BuildHeader(const struct ip* ip)
{
RecordVal* hdr = new RecordVal(ip_hdr);
hdr->Assign(0, new Val(ip->ip_hl * 4, TYPE_COUNT));
hdr->Assign(1, new Val(ip->ip_tos, TYPE_COUNT));
hdr->Assign(2, new Val(ntohs(ip->ip_len), TYPE_COUNT));
hdr->Assign(3, new Val(ntohs(ip->ip_id), TYPE_COUNT));
hdr->Assign(4, new Val(ip->ip_ttl, TYPE_COUNT));
hdr->Assign(5, new Val(ip->ip_p, TYPE_COUNT));
hdr->Assign(6, new AddrVal(ip->ip_src.s_addr));
hdr->Assign(7, new AddrVal(ip->ip_dst.s_addr));
return hdr;
}
Val* Discarder::BuildHeader(const struct tcphdr* tp, int tcp_len)
{
RecordVal* hdr = new RecordVal(tcp_hdr);
hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
int tcp_hdr_len = tp->th_off * 4;
hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
hdr->Assign(5, new Val(tcp_len - tcp_hdr_len, TYPE_COUNT));
hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
return hdr;
}
Val* Discarder::BuildHeader(const struct udphdr* up)
{
RecordVal* hdr = new RecordVal(udp_hdr);
hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
return hdr;
}
Val* Discarder::BuildHeader(const struct icmp* icmp)
{
RecordVal* hdr = new RecordVal(icmp_hdr);
hdr->Assign(0, new Val(icmp->icmp_type, TYPE_COUNT));
return hdr;
}
Val* Discarder::BuildData(const u_char* data, int hdrlen, int len, int caplen)
{
len -= hdrlen;

9
src/Discard.h
View file

@ -25,17 +25,8 @@ public:
int NextPacket(const IP_Hdr* ip, int len, int caplen);
protected:
Val* BuildHeader(const struct ip* ip);
Val* BuildHeader(const struct tcphdr* tp, int tcp_len);
Val* BuildHeader(const struct udphdr* up);
Val* BuildHeader(const struct icmp* icmp);
Val* BuildData(const u_char* data, int hdrlen, int len, int caplen);
RecordType* ip_hdr;
RecordType* tcp_hdr;
RecordType* udp_hdr;
RecordType* icmp_hdr;
Func* check_ip;
Func* check_tcp;
Func* check_udp;

78
src/Frag.cc
View file

@ -27,21 +27,32 @@ void FragTimer::Dispatch(double t, int /* is_expire */)
FragReassembler::FragReassembler(NetSessions* arg_s,
const IP_Hdr* ip, const u_char* pkt,
uint32 frag_field, HashKey* k, double t)
HashKey* k, double t)
: Reassembler(0, ip->DstAddr(), REASSEM_IP)
{
s = arg_s;
key = k;
const struct ip* ip4 = ip->IP4_Hdr();
proto_hdr_len = ip4->ip_hl * 4;
proto_hdr = (struct ip*) new u_char[64]; // max IP header + slop
// Don't do a structure copy - need to pick up options, too.
memcpy((void*) proto_hdr, (const void*) ip4, proto_hdr_len);
if ( ip4 )
{
proto_hdr_len = ip->HdrLen();
proto_hdr = new u_char[64]; // max IP header + slop
// Don't do a structure copy - need to pick up options, too.
memcpy((void*) proto_hdr, (const void*) ip4, proto_hdr_len);
}
else
{
proto_hdr_len = ip->HdrLen() - 8; // minus length of fragment header
proto_hdr = new u_char[proto_hdr_len];
memcpy(proto_hdr, ip->IP6_Hdr(), proto_hdr_len);
}
reassembled_pkt = 0;
frag_size = 0; // flag meaning "not known"
next_proto = ip->NextProto();
AddFragment(t, ip, pkt, frag_field);
AddFragment(t, ip, pkt);
if ( frag_timeout != 0.0 )
{
@ -60,28 +71,42 @@ FragReassembler::~FragReassembler()
delete key;
}
void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt,
uint32 frag_field)
void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt)
{
const struct ip* ip4 = ip->IP4_Hdr();
if ( ip4->ip_p != proto_hdr->ip_p || ip4->ip_hl != proto_hdr->ip_hl )
if ( ip4 )
{
if ( ip4->ip_p != ((const struct ip*)proto_hdr)->ip_p ||
ip4->ip_hl != ((const struct ip*)proto_hdr)->ip_hl )
// || ip4->ip_tos != proto_hdr->ip_tos
// don't check TOS, there's at least one stack that actually
// uses different values, and it's hard to see an associated
// attack.
s->Weird("fragment_protocol_inconsistency", ip);
}
else
{
if ( ip->NextProto() != next_proto ||
ip->HdrLen() - 8 != proto_hdr_len )
s->Weird("fragment_protocol_inconsistency", ip);
// TODO: more detailed unfrag header consistency checks?
}
if ( frag_field & 0x4000 )
if ( ip->DF() )
// Linux MTU discovery for UDP can do this, for example.
s->Weird("fragment_with_DF", ip);
int offset = (ntohs(ip4->ip_off) & 0x1fff) * 8;
int len = ntohs(ip4->ip_len);
int hdr_len = proto_hdr->ip_hl * 4;
int offset = ip->FragOffset();
int len = ip->TotalLen();
int hdr_len = ip->HdrLen();
int upper_seq = offset + len - hdr_len;
if ( (frag_field & 0x2000) == 0 )
if ( ! offset )
// Make sure to use the first fragment header's next field.
next_proto = ip->NextProto();
if ( ! ip->MF() )
{
// Last fragment.
if ( frag_size == 0 )
@ -193,8 +218,7 @@ void FragReassembler::BlockInserted(DataBlock* /* start_block */)
u_char* pkt = new u_char[n];
memcpy((void*) pkt, (const void*) proto_hdr, proto_hdr_len);
struct ip* reassem4 = (struct ip*) pkt;
reassem4->ip_len = htons(frag_size + proto_hdr_len);
u_char* pkt_start = pkt;
pkt += proto_hdr_len;
@ -214,7 +238,27 @@ void FragReassembler::BlockInserted(DataBlock* /* start_block */)
}
delete reassembled_pkt;
reassembled_pkt = new IP_Hdr(reassem4, true);
if ( ((const struct ip*)pkt_start)->ip_v == 4 )
{
struct ip* reassem4 = (struct ip*) pkt_start;
reassem4->ip_len = htons(frag_size + proto_hdr_len);
reassembled_pkt = new IP_Hdr(reassem4, true);
}
else if ( ((const struct ip*)pkt_start)->ip_v == 6 )
{
struct ip6_hdr* reassem6 = (struct ip6_hdr*) pkt_start;
reassem6->ip6_plen = htons(frag_size + proto_hdr_len - 40);
const IPv6_Hdr_Chain* chain = new IPv6_Hdr_Chain(reassem6, next_proto);
reassembled_pkt = new IP_Hdr(reassem6, true, chain);
}
else
{
reporter->InternalError("bad IP version in fragment reassembly");
}
DeleteTimer();
}

8
src/Frag.h
View file

@ -20,11 +20,10 @@ typedef void (FragReassembler::*frag_timer_func)(double t);
class FragReassembler : public Reassembler {
public:
FragReassembler(NetSessions* s, const IP_Hdr* ip, const u_char* pkt,
uint32 frag_field, HashKey* k, double t);
HashKey* k, double t);
~FragReassembler();
void AddFragment(double t, const IP_Hdr* ip, const u_char* pkt,
uint32 frag_field);
void AddFragment(double t, const IP_Hdr* ip, const u_char* pkt);
void Expire(double t);
void DeleteTimer();
@ -37,11 +36,12 @@ protected:
void BlockInserted(DataBlock* start_block);
void Overlap(const u_char* b1, const u_char* b2, int n);
struct ip* proto_hdr;
u_char* proto_hdr;
IP_Hdr* reassembled_pkt;
int proto_hdr_len;
NetSessions* s;
int frag_size; // size of fully reassembled fragment
uint16 next_proto; // first IPv6 fragment header's next proto field
HashKey* key;
FragTimer* expire_timer;

364
src/IP.cc Normal file
View file

@ -0,0 +1,364 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "IP.h"
#include "Type.h"
#include "Val.h"
#include "Var.h"
static RecordType* ip4_hdr_type = 0;
static RecordType* ip6_hdr_type = 0;
static RecordType* ip6_ext_hdr_type = 0;
static RecordType* ip6_option_type = 0;
static RecordType* ip6_hopopts_type = 0;
static RecordType* ip6_dstopts_type = 0;
static RecordType* ip6_routing_type = 0;
static RecordType* ip6_fragment_type = 0;
static RecordType* ip6_ah_type = 0;
static RecordType* ip6_esp_type = 0;
static inline RecordType* hdrType(RecordType*& type, const char* name)
{
if ( ! type )
type = internal_type(name)->AsRecordType();
return type;
}
static VectorVal* BuildOptionsVal(const u_char* data, uint16 len)
{
VectorVal* vv = new VectorVal(new VectorType(
hdrType(ip6_option_type, "ip6_option")->Ref()));
while ( len > 0 )
{
const struct ip6_opt* opt = (const struct ip6_opt*) data;
RecordVal* rv = new RecordVal(ip6_option_type);
rv->Assign(0, new Val(opt->ip6o_type, TYPE_COUNT));
if ( opt->ip6o_type == 0 )
{
// Pad1 option
rv->Assign(1, new Val(0, TYPE_COUNT));
rv->Assign(2, new StringVal(""));
data += sizeof(uint8);
len -= sizeof(uint8);
}
else
{
// PadN or other option
uint16 off = 2 * sizeof(uint8);
rv->Assign(1, new Val(opt->ip6o_len, TYPE_COUNT));
rv->Assign(2, new StringVal(
new BroString(data + off, opt->ip6o_len, 1)));
data += opt->ip6o_len + off;
len -= opt->ip6o_len + off;
}
vv->Assign(vv->Size(), rv, 0);
}
return vv;
}
RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
RecordVal* rv = 0;
switch ( type ) {
case IPPROTO_IPV6:
{
rv = new RecordVal(hdrType(ip6_hdr_type, "ip6_hdr"));
const struct ip6_hdr* ip6 = (const struct ip6_hdr*)data;
rv->Assign(0, new Val((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20, TYPE_COUNT));
rv->Assign(1, new Val(ntohl(ip6->ip6_flow) & 0x000fffff, TYPE_COUNT));
rv->Assign(2, new Val(ntohs(ip6->ip6_plen), TYPE_COUNT));
rv->Assign(3, new Val(ip6->ip6_nxt, TYPE_COUNT));
rv->Assign(4, new Val(ip6->ip6_hlim, TYPE_COUNT));
rv->Assign(5, new AddrVal(ip6->ip6_src));
rv->Assign(6, new AddrVal(ip6->ip6_dst));
if ( ! chain )
chain = new VectorVal(new VectorType(
hdrType(ip6_ext_hdr_type, "ip6_ext_hdr")->Ref()));
rv->Assign(7, chain);
}
break;
case IPPROTO_HOPOPTS:
{
rv = new RecordVal(hdrType(ip6_hopopts_type, "ip6_hopopts"));
const struct ip6_hbh* hbh = (const struct ip6_hbh*)data;
rv->Assign(0, new Val(hbh->ip6h_nxt, TYPE_COUNT));
rv->Assign(1, new Val(hbh->ip6h_len, TYPE_COUNT));
uint16 off = 2 * sizeof(uint8);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
}
break;
case IPPROTO_DSTOPTS:
{
rv = new RecordVal(hdrType(ip6_dstopts_type, "ip6_dstopts"));
const struct ip6_dest* dst = (const struct ip6_dest*)data;
rv->Assign(0, new Val(dst->ip6d_nxt, TYPE_COUNT));
rv->Assign(1, new Val(dst->ip6d_len, TYPE_COUNT));
uint16 off = 2 * sizeof(uint8);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
}
break;
case IPPROTO_ROUTING:
{
rv = new RecordVal(hdrType(ip6_routing_type, "ip6_routing"));
const struct ip6_rthdr* rt = (const struct ip6_rthdr*)data;
rv->Assign(0, new Val(rt->ip6r_nxt, TYPE_COUNT));
rv->Assign(1, new Val(rt->ip6r_len, TYPE_COUNT));
rv->Assign(2, new Val(rt->ip6r_type, TYPE_COUNT));
rv->Assign(3, new Val(rt->ip6r_segleft, TYPE_COUNT));
uint16 off = 4 * sizeof(uint8);
rv->Assign(4, new StringVal(new BroString(data + off, Length() - off, 1)));
}
break;
case IPPROTO_FRAGMENT:
{
rv = new RecordVal(hdrType(ip6_fragment_type, "ip6_fragment"));
const struct ip6_frag* frag = (const struct ip6_frag*)data;
rv->Assign(0, new Val(frag->ip6f_nxt, TYPE_COUNT));
rv->Assign(1, new Val(frag->ip6f_reserved, TYPE_COUNT));
rv->Assign(2, new Val((ntohs(frag->ip6f_offlg) & 0xfff8)>>3, TYPE_COUNT));
rv->Assign(3, new Val((ntohs(frag->ip6f_offlg) & 0x0006)>>1, TYPE_COUNT));
rv->Assign(4, new Val(ntohs(frag->ip6f_offlg) & 0x0001, TYPE_BOOL));
rv->Assign(5, new Val(ntohl(frag->ip6f_ident), TYPE_COUNT));
}
break;
case IPPROTO_AH:
{
rv = new RecordVal(hdrType(ip6_ah_type, "ip6_ah"));
rv->Assign(0, new Val(((ip6_ext*)data)->ip6e_nxt, TYPE_COUNT));
rv->Assign(1, new Val(((ip6_ext*)data)->ip6e_len, TYPE_COUNT));
rv->Assign(2, new Val(ntohs(((uint16*)data)[1]), TYPE_COUNT));
rv->Assign(3, new Val(ntohl(((uint32*)data)[1]), TYPE_COUNT));
rv->Assign(4, new Val(ntohl(((uint32*)data)[2]), TYPE_COUNT));
uint16 off = 3 * sizeof(uint32);
rv->Assign(5, new StringVal(new BroString(data + off, Length() - off, 1)));
}
break;
case IPPROTO_ESP:
{
rv = new RecordVal(hdrType(ip6_esp_type, "ip6_esp"));
const uint32* esp = (const uint32*)data;
rv->Assign(0, new Val(ntohl(esp[0]), TYPE_COUNT));
rv->Assign(1, new Val(ntohl(esp[1]), TYPE_COUNT));
}
break;
default:
break;
}
return rv;
}
RecordVal* IP_Hdr::BuildIPHdrVal() const
{
RecordVal* rval = 0;
if ( ip4 )
{
rval = new RecordVal(hdrType(ip4_hdr_type, "ip4_hdr"));
rval->Assign(0, new Val(ip4->ip_hl * 4, TYPE_COUNT));
rval->Assign(1, new Val(ip4->ip_tos, TYPE_COUNT));
rval->Assign(2, new Val(ntohs(ip4->ip_len), TYPE_COUNT));
rval->Assign(3, new Val(ntohs(ip4->ip_id), TYPE_COUNT));
rval->Assign(4, new Val(ip4->ip_ttl, TYPE_COUNT));
rval->Assign(5, new Val(ip4->ip_p, TYPE_COUNT));
rval->Assign(6, new AddrVal(ip4->ip_src.s_addr));
rval->Assign(7, new AddrVal(ip4->ip_dst.s_addr));
}
else
{
rval = ((*ip6_hdrs)[0])->BuildRecordVal(ip6_hdrs->BuildVal());
}
return rval;
}
RecordVal* IP_Hdr::BuildPktHdrVal() const
{
static RecordType* pkt_hdr_type = 0;
static RecordType* tcp_hdr_type = 0;
static RecordType* udp_hdr_type = 0;
static RecordType* icmp_hdr_type = 0;
if ( ! pkt_hdr_type )
{
pkt_hdr_type = internal_type("pkt_hdr")->AsRecordType();
tcp_hdr_type = internal_type("tcp_hdr")->AsRecordType();
udp_hdr_type = internal_type("udp_hdr")->AsRecordType();
icmp_hdr_type = internal_type("icmp_hdr")->AsRecordType();
}
RecordVal* pkt_hdr = new RecordVal(pkt_hdr_type);
if ( ip4 )
pkt_hdr->Assign(0, BuildIPHdrVal());
else
pkt_hdr->Assign(1, BuildIPHdrVal());
// L4 header.
const u_char* data = Payload();
int proto = NextProto();
switch ( proto ) {
case IPPROTO_TCP:
{
const struct tcphdr* tp = (const struct tcphdr*) data;
RecordVal* tcp_hdr = new RecordVal(tcp_hdr_type);
int tcp_hdr_len = tp->th_off * 4;
int data_len = PayloadLen() - tcp_hdr_len;
tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
tcp_hdr->Assign(5, new Val(data_len, TYPE_COUNT));
tcp_hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
tcp_hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
pkt_hdr->Assign(2, tcp_hdr);
break;
}
case IPPROTO_UDP:
{
const struct udphdr* up = (const struct udphdr*) data;
RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
pkt_hdr->Assign(3, udp_hdr);
break;
}
case IPPROTO_ICMP:
{
const struct icmp* icmpp = (const struct icmp *) data;
RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
icmp_hdr->Assign(0, new Val(icmpp->icmp_type, TYPE_COUNT));
pkt_hdr->Assign(4, icmp_hdr);
break;
}
default:
{
// This is not a protocol we understand.
break;
}
}
return pkt_hdr;
}
static inline bool isIPv6ExtHeader(uint8 type)
{
switch (type) {
case IPPROTO_HOPOPTS:
case IPPROTO_ROUTING:
case IPPROTO_DSTOPTS:
case IPPROTO_FRAGMENT:
case IPPROTO_AH:
case IPPROTO_ESP:
return true;
default:
return false;
}
}
void IPv6_Hdr_Chain::Init(const struct ip6_hdr* ip6, bool set_next, uint16 next)
{
length = 0;
uint8 current_type, next_type;
next_type = IPPROTO_IPV6;
const u_char* hdrs = (const u_char*) ip6;
do
{
current_type = next_type;
IPv6_Hdr* p = new IPv6_Hdr(current_type, hdrs);
next_type = p->NextHdr();
uint16 len = p->Length();
if ( set_next && next_type == IPPROTO_FRAGMENT )
{
p->ChangeNext(next);
next_type = next;
}
chain.push_back(p);
hdrs += len;
length += len;
} while ( current_type != IPPROTO_FRAGMENT &&
current_type != IPPROTO_ESP &&
isIPv6ExtHeader(next_type) );
}
VectorVal* IPv6_Hdr_Chain::BuildVal() const
{
if ( ! ip6_ext_hdr_type )
{
ip6_ext_hdr_type = internal_type("ip6_ext_hdr")->AsRecordType();
ip6_hopopts_type = internal_type("ip6_hopopts")->AsRecordType();
ip6_dstopts_type = internal_type("ip6_dstopts")->AsRecordType();
ip6_routing_type = internal_type("ip6_routing")->AsRecordType();
ip6_fragment_type = internal_type("ip6_fragment")->AsRecordType();
ip6_ah_type = internal_type("ip6_ah")->AsRecordType();
ip6_esp_type = internal_type("ip6_esp")->AsRecordType();
}
VectorVal* rval = new VectorVal(new VectorType(ip6_ext_hdr_type->Ref()));
for ( size_t i = 1; i < chain.size(); ++i )
{
RecordVal* v = chain[i]->BuildRecordVal();
RecordVal* ext_hdr = new RecordVal(ip6_ext_hdr_type);
uint8 type = chain[i]->Type();
ext_hdr->Assign(0, new Val(type, TYPE_COUNT));
switch (type) {
case IPPROTO_HOPOPTS:
ext_hdr->Assign(1, v);
break;
case IPPROTO_DSTOPTS:
ext_hdr->Assign(2, v);
break;
case IPPROTO_ROUTING:
ext_hdr->Assign(3, v);
break;
case IPPROTO_FRAGMENT:
ext_hdr->Assign(4, v);
break;
case IPPROTO_AH:
ext_hdr->Assign(5, v);
break;
case IPPROTO_ESP:
ext_hdr->Assign(6, v);
break;
default:
reporter->InternalError("IPv6_Hdr_Chain bad header %d", type);
break;
}
rval->Assign(rval->Size(), ext_hdr, 0);
}
return rval;
}

324
src/IP.h
View file

@ -4,23 +4,234 @@
#define ip_h
#include "config.h"
#include "net_util.h"
#include "IPAddr.h"
#include <net_util.h>
#include "Reporter.h"
#include "Val.h"
#include "Type.h"
#include <vector>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
/**
* Base class for IPv6 header/extensions.
*/
class IPv6_Hdr {
public:
/**
* Construct an IPv6 header or extension header from assigned type number.
*/
IPv6_Hdr(uint8 t, const u_char* d) : type(t), data(d) {}
/**
* Replace the value of the next protocol field.
*/
void ChangeNext(uint8 next_type)
{
switch ( type ) {
case IPPROTO_IPV6:
((ip6_hdr*)data)->ip6_nxt = next_type;
break;
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
case IPPROTO_ROUTING:
case IPPROTO_FRAGMENT:
case IPPROTO_AH:
((ip6_ext*)data)->ip6e_nxt = next_type;
break;
case IPPROTO_ESP:
default:
break;
}
}
~IPv6_Hdr() {}
/**
* Returns the assigned IPv6 extension header type number of the header
* that immediately follows this one.
*/
uint8 NextHdr() const
{
switch ( type ) {
case IPPROTO_IPV6:
return ((ip6_hdr*)data)->ip6_nxt;
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
case IPPROTO_ROUTING:
case IPPROTO_FRAGMENT:
case IPPROTO_AH:
return ((ip6_ext*)data)->ip6e_nxt;
case IPPROTO_ESP:
default:
return IPPROTO_NONE;
}
}
/**
* Returns the length of the header in bytes.
*/
uint16 Length() const
{
switch ( type ) {
case IPPROTO_IPV6:
return 40;
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
case IPPROTO_ROUTING:
return 8 + 8 * ((ip6_ext*)data)->ip6e_len;
case IPPROTO_FRAGMENT:
return 8;
case IPPROTO_AH:
return 8 + 4 * ((ip6_ext*)data)->ip6e_len;
case IPPROTO_ESP:
return 8; //encrypted payload begins after 8 bytes
default:
return 0;
}
}
/**
* Returns the RFC 1700 et seq. IANA assigned number for the header.
*/
uint8 Type() const { return type; }
/**
* Returns pointer to the start of where header structure resides in memory.
*/
const u_char* Data() const { return data; }
/**
* Returns the script-layer record representation of the header.
*/
RecordVal* BuildRecordVal(VectorVal* chain = 0) const;
protected:
uint8 type;
const u_char* data;
};
class IPv6_Hdr_Chain {
public:
/**
* Initializes the header chain from an IPv6 header structure.
*/
IPv6_Hdr_Chain(const struct ip6_hdr* ip6) { Init(ip6, false); }
~IPv6_Hdr_Chain()
{ for ( size_t i = 0; i < chain.size(); ++i ) delete chain[i]; }
/**
* Returns the number of headers in the chain.
*/
size_t Size() const { return chain.size(); }
/**
* Returns the sum of the length of all headers in the chain in bytes.
*/
uint16 TotalLength() const { return length; }
/**
* Accesses the header at the given location in the chain.
*/
const IPv6_Hdr* operator[](const size_t i) const { return chain[i]; }
/**
* Returns whether the header chain indicates a fragmented packet.
*/
bool IsFragment() const
{ return chain[chain.size()-1]->Type() == IPPROTO_FRAGMENT; }
/**
* Returns pointer to fragment header structure if the chain contains one.
*/
const struct ip6_frag* GetFragHdr() const
{ return IsFragment() ?
(const struct ip6_frag*)chain[chain.size()-1]->Data(): 0; }
/**
* If the header chain is a fragment, returns the offset in number of bytes
* relative to the start of the Fragmentable Part of the original packet.
*/
uint16 FragOffset() const
{ return IsFragment() ?
(ntohs(GetFragHdr()->ip6f_offlg) & 0xfff8) : 0; }
/**
* If the header chain is a fragment, returns the identification field.
*/
uint32 ID() const
{ return IsFragment() ? ntohl(GetFragHdr()->ip6f_ident) : 0; }
/**
* If the header chain is a fragment, returns the M (more fragments) flag.
*/
int MF() const
{ return IsFragment() ?
(ntohs(GetFragHdr()->ip6f_offlg) & 0x0001) != 0 : 0; }
/**
* Returns a vector of ip6_ext_hdr RecordVals that includes script-layer
* representation of all extension headers in the chain.
*/
VectorVal* BuildVal() const;
protected:
// for access to protected ctor that changes next header values that
// point to a fragment
friend class FragReassembler;
/**
* Initializes the header chain from an IPv6 header structure, and replaces
* the first next protocol pointer field that points to a fragment header.
*/
IPv6_Hdr_Chain(const struct ip6_hdr* ip6, uint16 next)
{ Init(ip6, true, next); }
void Init(const struct ip6_hdr* ip6, bool set_next, uint16 next = 0);
vector<IPv6_Hdr*> chain;
uint16 length; // The summation of all header lengths in the chain in bytes.
};
class IP_Hdr {
public:
IP_Hdr(const u_char* p, bool arg_del)
: ip4(0), ip6(0), del(arg_del), ip6_hdrs(0)
{
if ( ((const struct ip*)p)->ip_v == 4 )
ip4 = (const struct ip*)p;
else if ( ((const struct ip*)p)->ip_v == 6 )
{
ip6 = (const struct ip6_hdr*)p;
ip6_hdrs = new IPv6_Hdr_Chain(ip6);
}
else
{
if ( arg_del )
delete [] p;
reporter->InternalError("bad IP version in IP_Hdr ctor");
}
}
IP_Hdr(const struct ip* arg_ip4, bool arg_del)
: ip4(arg_ip4), ip6(0), del(arg_del)
: ip4(arg_ip4), ip6(0), del(arg_del), ip6_hdrs(0)
{
}
IP_Hdr(const struct ip6_hdr* arg_ip6, bool arg_del)
: ip4(0), ip6(arg_ip6), del(arg_del)
IP_Hdr(const struct ip6_hdr* arg_ip6, bool arg_del,
const IPv6_Hdr_Chain* c = 0)
: ip4(0), ip6(arg_ip6), del(arg_del),
ip6_hdrs(c ? c : new IPv6_Hdr_Chain(ip6))
{
}
~IP_Hdr()
{
if ( ip6 )
delete ip6_hdrs;
if ( del )
{
if ( ip4 )
@ -31,56 +242,123 @@ public:
}
const struct ip* IP4_Hdr() const { return ip4; }
const struct ip6_hdr* IP6_Hdr() const { return ip6; }
IPAddr SrcAddr() const
{ return ip4 ? IPAddr(ip4->ip_src) : IPAddr(ip6->ip6_src); }
IPAddr DstAddr() const
{ return ip4 ? IPAddr(ip4->ip_dst) : IPAddr(ip6->ip6_dst); }
//TODO: needs adapting/replacement for IPv6 support
uint16 ID4() const { return ip4 ? ip4->ip_id : 0; }
/**
* Returns a pointer to the payload of the IP packet, usually an
* upper-layer protocol.
*/
const u_char* Payload() const
{
if ( ip4 )
return ((const u_char*) ip4) + ip4->ip_hl * 4;
else
return ((const u_char*) ip6) + 40;
return ((const u_char*) ip6) + ip6_hdrs->TotalLength();
}
/**
* Returns the length of the IP packet's payload (length of packet minus
* header length or, for IPv6, also minus length of all extension headers).
*/
uint16 PayloadLen() const
{
if ( ip4 )
return ntohs(ip4->ip_len) - ip4->ip_hl * 4;
else
return ntohs(ip6->ip6_plen);
return ntohs(ip6->ip6_plen) + 40 - ip6_hdrs->TotalLength();
}
uint16 TotalLen() const
{
if ( ip4 )
return ntohs(ip4->ip_len);
else
return ntohs(ip6->ip6_plen) + 40;
}
/**
* Returns the length of the IP packet (length of headers and payload).
*/
uint32 TotalLen() const
{ return ip4 ? ntohs(ip4->ip_len) : ntohs(ip6->ip6_plen) + 40; }
uint16 HdrLen() const { return ip4 ? ip4->ip_hl * 4 : 40; }
/**
* Returns length of IP packet header (includes extension headers for IPv6).
*/
uint16 HdrLen() const
{ return ip4 ? ip4->ip_hl * 4 : ip6_hdrs->TotalLength(); }
/**
* For IPv6 header chains, returns the type of the last header in the chain.
*/
uint8 LastHeader() const
{ return ip4 ? IPPROTO_RAW :
((*ip6_hdrs)[ip6_hdrs->Size()-1])->Type(); }
/**
* Returns the protocol type of the IP packet's payload, usually an
* upper-layer protocol. For IPv6, this returns the last (extension)
* header's Next Header value.
*/
unsigned char NextProto() const
{ return ip4 ? ip4->ip_p : ip6->ip6_nxt; }
{ return ip4 ? ip4->ip_p :
((*ip6_hdrs)[ip6_hdrs->Size()-1])->NextHdr(); }
unsigned char TTL() const
{ return ip4 ? ip4->ip_ttl : ip6->ip6_hlim; }
uint16 FragField() const
{ return ntohs(ip4 ? ip4->ip_off : 0); }
bool IsFragment() const
{ return ip4 ? (ntohs(ip4->ip_off) & 0x3fff) != 0 :
ip6_hdrs->IsFragment(); }
/**
* Returns the fragment packet's offset in relation to the original
* packet in bytes.
*/
uint16 FragOffset() const
{ return ip4 ? (ntohs(ip4->ip_off) & 0x1fff) * 8 :
ip6_hdrs->FragOffset(); }
/**
* Returns the fragment packet's identification field.
*/
uint32 ID() const
{ return ip4 ? ntohs(ip4->ip_id) : ip6_hdrs->ID(); }
/**
* Returns whether a fragment packet's "More Fragments" field is set.
*/
int MF() const
{ return ip4 ? (ntohs(ip4->ip_off) & 0x2000) != 0 : ip6_hdrs->MF(); }
/**
* Returns whether a fragment packet's "Don't Fragment" field is set.
* Note that IPv6 has no such field.
*/
int DF() const
{ return ip4 ? ((ntohs(ip4->ip_off) & IP_DF) != 0) : 0; }
uint16 IP_ID() const
{ return ip4 ? (ntohs(ip4->ip_id)) : 0; }
{ return ip4 ? ((ntohs(ip4->ip_off) & 0x4000) != 0) : 0; }
/**
* Returns number of IP headers in packet (includes IPv6 extension headers).
*/
size_t NumHeaders() const
{ return ip4 ? 1 : ip6_hdrs->Size(); }
/**
* Returns an ip_hdr or ip6_hdr_chain RecordVal.
*/
RecordVal* BuildIPHdrVal() const;
/**
* Returns a pkt_hdr RecordVal, which includes not only the IP header, but
* also upper-layer (tcp/udp/icmp) headers.
*/
RecordVal* BuildPktHdrVal() const;
private:
const struct ip* ip4;
const struct ip6_hdr* ip6;
bool del;
const IPv6_Hdr_Chain* ip6_hdrs;
};
#endif

1
src/Net.cc
View file

@ -42,7 +42,6 @@ extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
PList(PktSrc) pkt_srcs;
// FIXME: We should really merge PktDumper and PacketDumper.
// It's on my to-do [Robin].
PktDumper* pkt_dumper = 0;
int reading_live = 0;

7
src/PacketFilter.cc
View file

@ -71,9 +71,7 @@ bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
if ( ip.NextProto() == IPPROTO_TCP && f.tcp_flags )
{
// Caution! The packet sanity checks have not been performed yet
const struct ip* ip4 = ip.IP4_Hdr();
int ip_hdr_len = ip4->ip_hl * 4;
int ip_hdr_len = ip.HdrLen();
len -= ip_hdr_len; // remove IP header
caplen -= ip_hdr_len;
@ -82,8 +80,7 @@ bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
// Packet too short, will be dropped anyway.
return false;
const struct tcphdr* tp =
(const struct tcphdr*) ((u_char*) ip4 + ip_hdr_len);
const struct tcphdr* tp = (const struct tcphdr*) ip.Payload();
if ( tp->th_flags & f.tcp_flags )
// At least one of the flags is set, so don't drop

7
src/PacketSort.cc
View file

@ -28,12 +28,15 @@ PacketSortElement::PacketSortElement(PktSrc* arg_src,
const struct ip* ip = (const struct ip*) (pkt + hdr_size);
if ( ip->ip_v == 4 )
ip_hdr = new IP_Hdr(ip, false);
else
else if ( ip->ip_v == 6 )
ip_hdr = new IP_Hdr((const struct ip6_hdr*) ip, false);
else
// Weird will be generated later in NetSessions::NextPacket.
return;
if ( ip_hdr->NextProto() == IPPROTO_TCP &&
// Note: can't sort fragmented packets
(ip_hdr->FragField() & 0x3fff) == 0 )
( ! ip_hdr->IsFragment() ) )
{
tcp_offset = hdr_size + ip_hdr->HdrLen();
if ( caplen >= tcp_offset + sizeof(struct tcphdr) )

193
src/Sessions.cc
View file

@ -332,7 +332,8 @@ void NetSessions::NextPacketSecondary(double /* t */, const struct pcap_pkthdr*
StringVal* cmd_val =
new StringVal(sp->Event()->Filter());
args->append(cmd_val);
args->append(BuildHeader(ip));
IP_Hdr ip_hdr(ip, false);
args->append(ip_hdr.BuildPktHdrVal());
// ### Need to queue event here.
try
{
@ -400,18 +401,6 @@ int NetSessions::CheckConnectionTag(Connection* conn)
return 1;
}
static bool looks_like_IPv4_packet(int len, const struct ip* ip_hdr)
{
if ( (unsigned int) len < sizeof(struct ip) )
return false;
if ( ip_hdr->ip_v == 4 && ntohs(ip_hdr->ip_len) == len )
return true;
else
return false;
}
void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
const IP_Hdr* ip_hdr, const u_char* const pkt,
int hdr_size)
@ -441,18 +430,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
if ( discarder && discarder->NextPacket(ip_hdr, len, caplen) )
return;
int proto = ip_hdr->NextProto();
if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP &&
proto != IPPROTO_ICMP )
{
dump_this_packet = 1;
return;
}
FragReassembler* f = 0;
uint32 frag_field = ip_hdr->FragField();
if ( (frag_field & 0x3fff) != 0 )
if ( ip_hdr->IsFragment() )
{
dump_this_packet = 1; // always record fragments
@ -463,12 +443,12 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
// Don't try to reassemble, that's doomed.
// Discard all except the first fragment (which
// is useful in analyzing header-only traces)
if ( (frag_field & 0x1fff) != 0 )
if ( ip_hdr->FragOffset() != 0 )
return;
}
else
{
f = NextFragment(t, ip_hdr, pkt + hdr_size, frag_field);
f = NextFragment(t, ip_hdr, pkt + hdr_size);
const IP_Hdr* ih = f->ReassembledPkt();
if ( ! ih )
// It didn't reassemble into anything yet.
@ -485,21 +465,27 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
len -= ip_hdr_len; // remove IP header
caplen -= ip_hdr_len;
uint32 min_hdr_len = (proto == IPPROTO_TCP) ? sizeof(struct tcphdr) :
(proto == IPPROTO_UDP ? sizeof(struct udphdr) : ICMP_MINLEN);
if ( len < min_hdr_len )
// We stop building the chain when seeing IPPROTO_ESP so if it's
// there, it's always the last.
if ( ip_hdr->LastHeader() == IPPROTO_ESP )
{
Weird("truncated_header", hdr, pkt);
if ( f )
Remove(f); // ###
dump_this_packet = 1;
if ( esp_packet )
{
val_list* vl = new val_list();
vl->append(ip_hdr->BuildPktHdrVal());
mgr.QueueEvent(esp_packet, vl);
}
Remove(f);
// Can't do more since upper-layer payloads are going to be encrypted.
return;
}
if ( caplen < min_hdr_len )
int proto = ip_hdr->NextProto();
if ( CheckHeaderTrunc(proto, len, caplen, hdr, pkt) )
{
Weird("internally_truncated_header", hdr, pkt);
if ( f )
Remove(f); // ###
Remove(f);
return;
}
@ -548,7 +534,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
}
default:
Weird(fmt("unknown_protocol %d", proto), hdr, pkt);
Weird(fmt("unknown_protocol_%d", proto), hdr, pkt);
Remove(f);
return;
}
@ -574,6 +561,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
if ( consistent < 0 )
{
delete h;
Remove(f);
return;
}
@ -592,10 +580,11 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
}
if ( ! conn )
{
delete h;
if ( ! conn )
Remove(f);
return;
}
int record_packet = 1; // whether to record the packet at all
int record_content = 1; // whether to record its data
@ -603,8 +592,17 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
int is_orig = (id.src_addr == conn->OrigAddr()) &&
(id.src_port == conn->OrigPort());
if ( new_packet && ip4 )
conn->Event(new_packet, 0, BuildHeader(ip4));
Val* pkt_hdr_val = 0;
if ( ipv6_ext_headers && ip_hdr->NumHeaders() > 1 )
{
pkt_hdr_val = ip_hdr->BuildPktHdrVal();
conn->Event(ipv6_ext_headers, 0, pkt_hdr_val);
}
if ( new_packet )
conn->Event(new_packet, 0,
pkt_hdr_val ? pkt_hdr_val->Ref() : ip_hdr->BuildPktHdrVal());
conn->NextPacket(t, is_orig, ip_hdr, len, caplen, data,
record_packet, record_content,
@ -614,7 +612,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
{
// Above we already recorded the fragment in its entirety.
f->DeleteTimer();
Remove(f); // ###
Remove(f);
}
else if ( record_packet )
@ -630,104 +628,42 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
}
}
Val* NetSessions::BuildHeader(const struct ip* ip)
bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
const struct pcap_pkthdr* h, const u_char* p)
{
static RecordType* pkt_hdr_type = 0;
static RecordType* ip_hdr_type = 0;
static RecordType* tcp_hdr_type = 0;
static RecordType* udp_hdr_type = 0;
static RecordType* icmp_hdr_type;
if ( ! pkt_hdr_type )
{
pkt_hdr_type = internal_type("pkt_hdr")->AsRecordType();
ip_hdr_type = internal_type("ip_hdr")->AsRecordType();
tcp_hdr_type = internal_type("tcp_hdr")->AsRecordType();
udp_hdr_type = internal_type("udp_hdr")->AsRecordType();
icmp_hdr_type = internal_type("icmp_hdr")->AsRecordType();
}
RecordVal* pkt_hdr = new RecordVal(pkt_hdr_type);
RecordVal* ip_hdr = new RecordVal(ip_hdr_type);
int ip_hdr_len = ip->ip_hl * 4;
int ip_pkt_len = ntohs(ip->ip_len);
ip_hdr->Assign(0, new Val(ip->ip_hl * 4, TYPE_COUNT));
ip_hdr->Assign(1, new Val(ip->ip_tos, TYPE_COUNT));
ip_hdr->Assign(2, new Val(ip_pkt_len, TYPE_COUNT));
ip_hdr->Assign(3, new Val(ntohs(ip->ip_id), TYPE_COUNT));
ip_hdr->Assign(4, new Val(ip->ip_ttl, TYPE_COUNT));
ip_hdr->Assign(5, new Val(ip->ip_p, TYPE_COUNT));
ip_hdr->Assign(6, new AddrVal(ip->ip_src.s_addr));
ip_hdr->Assign(7, new AddrVal(ip->ip_dst.s_addr));
pkt_hdr->Assign(0, ip_hdr);
// L4 header.
const u_char* data = ((const u_char*) ip) + ip_hdr_len;
int proto = ip->ip_p;
uint32 min_hdr_len = 0;
switch ( proto ) {
case IPPROTO_TCP:
{
const struct tcphdr* tp = (const struct tcphdr*) data;
RecordVal* tcp_hdr = new RecordVal(tcp_hdr_type);
int tcp_hdr_len = tp->th_off * 4;
int data_len = ip_pkt_len - ip_hdr_len - tcp_hdr_len;
tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
tcp_hdr->Assign(5, new Val(data_len, TYPE_COUNT));
tcp_hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
tcp_hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
pkt_hdr->Assign(1, tcp_hdr);
min_hdr_len = sizeof(struct tcphdr);
break;
}
case IPPROTO_UDP:
{
const struct udphdr* up = (const struct udphdr*) data;
RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
pkt_hdr->Assign(2, udp_hdr);
min_hdr_len = sizeof(struct udphdr);
break;
}
case IPPROTO_ICMP:
{
const struct icmp* icmpp = (const struct icmp *) data;
RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
icmp_hdr->Assign(0, new Val(icmpp->icmp_type, TYPE_COUNT));
pkt_hdr->Assign(3, icmp_hdr);
break;
}
default:
{
// This is not a protocol we understand.
}
// Use for all other packets.
min_hdr_len = ICMP_MINLEN;
}
return pkt_hdr;
if ( len < min_hdr_len )
{
Weird("truncated_header", h, p);
return true;
}
if ( caplen < min_hdr_len )
{
Weird("internally_truncated_header", h, p);
return true;
}
return false;
}
FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
const u_char* pkt, uint32 frag_field)
const u_char* pkt)
{
uint32 frag_id = ntohs(ip->ID4()); // we actually could skip conv.
uint32 frag_id = ip->ID();
ListVal* key = new ListVal(TYPE_ANY);
key->Append(new AddrVal(ip->SrcAddr()));
@ -741,7 +677,7 @@ FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
FragReassembler* f = fragments.Lookup(h);
if ( ! f )
{
f = new FragReassembler(this, ip, pkt, frag_field, h, t);
f = new FragReassembler(this, ip, pkt, h, t);
fragments.Insert(h, f);
Unref(key);
return f;
@ -750,7 +686,7 @@ FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
delete h;
Unref(key);
f->AddFragment(t, ip, pkt, frag_field);
f->AddFragment(t, ip, pkt);
return f;
}
@ -909,6 +845,7 @@ void NetSessions::Remove(Connection* c)
void NetSessions::Remove(FragReassembler* f)
{
if ( ! f ) return;
HashKey* k = f->Key();
if ( ! k )
reporter->InternalError("fragment block not in dictionary");

11
src/Sessions.h
View file

@ -79,7 +79,7 @@ public:
// Returns a reassembled packet, or nil if there are still
// some missing fragments.
FragReassembler* NextFragment(double t, const IP_Hdr* ip,
const u_char* pkt, uint32 frag_field);
const u_char* pkt);
int Get_OS_From_SYN(struct os_type* retval,
uint16 tot, uint8 DF_flag, uint8 TTL, uint16 WSS,
@ -190,10 +190,11 @@ protected:
void Internal(const char* msg, const struct pcap_pkthdr* hdr,
const u_char* pkt);
// Builds a record encapsulating a packet. This should be more
// general, including the equivalent of a union of tcp/udp/icmp
// headers .
Val* BuildHeader(const struct ip* ip);
// For a given protocol, checks whether the header's length as derived
// from lower-level headers or the length actually captured is less
// than that protocol's minimum header size.
bool CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
const struct pcap_pkthdr* hdr, const u_char* pkt);
CompositeHash* ch;
PDict(Connection) tcp_conns;

6
src/TCP.cc
View file

@ -1203,7 +1203,7 @@ RecordVal* TCP_Analyzer::BuildOSVal(int is_orig, const IP_Hdr* ip,
if ( ip->HdrLen() > 20 )
quirks |= QUIRK_IPOPT;
if ( ip->IP_ID() == 0 )
if ( ip->ID() == 0 )
quirks |= QUIRK_ZEROID;
if ( tcp->th_seq == 0 )
@ -1942,11 +1942,11 @@ int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
{
if ( ++num_pkts == 1 )
{ // First packet.
last_id = ntohs(ip->ID4());
last_id = ip->ID();
return 0;
}
int id = ntohs(ip->ID4());
int id = ip->ID();
if ( id == last_id )
{

33
src/bro.bif
View file

@ -2049,6 +2049,39 @@ function is_v6_addr%(a: addr%): bool
#
# ===========================================================================
## Converts the *data* field of :bro:type:`ip6_routing` records that have
## *rtype* of 0 into a set of addresses.
##
## s: The *data* field of an :bro:type:`ip6_routing` record that has
## an *rtype* of 0.
##
## Returns: The set of addresses contained in the routing header data.
function routing0_data_to_addrs%(s: string%): addr_set
%{
BroType* index_type = base_type(TYPE_ADDR);
TypeList* set_index = new TypeList(index_type);
set_index->Append(index_type);
TableVal* tv = new TableVal(new SetType(set_index, 0));
int len = s->Len();
const u_char* bytes = s->Bytes();
bytes += 4; // go past 32-bit reserved field
len -= 4;
if ( ( len % 16 ) != 0 )
reporter->Warning("Bad ip6_routing data length: %d", s->Len());
while ( len > 0 )
{
IPAddr a(IPAddr::IPv6, (const uint32*) bytes, IPAddr::Network);
tv->Assign(new AddrVal(a), 0);
bytes += 16;
len -= 16;
}
return tv;
%}
## Converts a :bro:type:`addr` to a :bro:type:`index_vec`.
##
## a: The address to convert into a vector of counts.

21
src/event.bif
View file

@ -454,11 +454,30 @@ event expected_connection_seen%(c: connection, a: count%);
##
## c: The connection the packet is part of.
##
## p: Informattion from the header of the packet that triggered the event.
## p: Information from the header of the packet that triggered the event.
##
## .. bro:see:: tcp_packet packet_contents
event new_packet%(c: connection, p: pkt_hdr%);
## Generated for every IPv6 packet that contains extension headers.
## This is potentially an expensive event to handle if analysiing IPv6 traffic
## that happens to utilize extension headers frequently.
##
## c: The connection the packet is part of.
##
## p: Information from the header of the packet that triggered the event.
##
## .. bro:see:: new_packet tcp_packet packet_contents esp_packet
event ipv6_ext_headers%(c: connection, p: pkt_hdr%);
## Generated for any packets using the IPv6 Encapsulating Security Payload (ESP)
## extension header.
##
## p: Information from the header of the packet that triggered the event.
##
## .. bro:see:: new_packet tcp_packet ipv6_ext_headers
event esp_packet%(p: pkt_hdr%);
## Generated for every packet that has non-empty transport-layer payload. This is a
## very low-level and expensive event that should be avoided when at all possible.
## It's usually infeasible to handle when processing even medium volumes of

2
src/main.cc
View file

@ -837,7 +837,7 @@ int main(int argc, char** argv)
if ( dns_type != DNS_PRIME )
net_init(interfaces, read_files, netflows, flow_files,
writefile, "tcp or udp or icmp",
writefile, "",
secondary_path->Filter(), do_watchdog);
BroFile::SetDefaultRotation(log_rotate_interval, log_max_size);

8
testing/btest/Baseline/bifs.install_src_addr_filter/output Normal file
View file

@ -0,0 +1,8 @@
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]

4
testing/btest/Baseline/bifs.routing0_data_to_addrs/output Normal file
View file

@ -0,0 +1,4 @@
{
2001:78:1:32::1,
2001:78:1:32::2
}

24
testing/btest/Baseline/core.discarder/output Normal file
View file

@ -0,0 +1,24 @@
################ IP Discarder ################
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
################ TCP Discarder ################
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
################ UDP Discarder ################
[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp]
[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp]
[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp]
[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp]
[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp]
################ ICMP Discarder ################
Discard icmp packet: [icmp_type=3]

9
testing/btest/Baseline/core.ipv6-frag/dns.log Normal file
View file

@ -0,0 +1,9 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dns
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name QR AA TC RD RA Z answers TTLs
#types time string addr port addr port enum count string count string count string count string bool bool bool bool bool count vector[string] vector[interval]
1331084278.438444 UWkUyAuUGXf 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR F T F T F 0 This TXT record should be ignored 1.000000
1331084293.592245 arKYeMETxOg 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR F T F T F 0 This TXT record should be ignored 1.000000

5
testing/btest/Baseline/core.ipv6-frag/output Normal file
View file

@ -0,0 +1,5 @@
ip6=[class=0, flow=0, len=81, nxt=17, hlim=64, src=2001:470:1f11:81f:d138:5f55:6d4:1fe2, dst=2607:f740:b::f93, exts=[]], udp = [sport=51850/udp, dport=53/udp, ulen=81]
ip6=[class=0, flow=0, len=331, nxt=17, hlim=53, src=2607:f740:b::f93, dst=2001:470:1f11:81f:d138:5f55:6d4:1fe2, exts=[]], udp = [sport=53/udp, dport=51850/udp, ulen=331]
ip6=[class=0, flow=0, len=82, nxt=17, hlim=64, src=2001:470:1f11:81f:d138:5f55:6d4:1fe2, dst=2607:f740:b::f93, exts=[]], udp = [sport=51851/udp, dport=53/udp, ulen=82]
ip6=[class=0, flow=0, len=82, nxt=17, hlim=64, src=2001:470:1f11:81f:d138:5f55:6d4:1fe2, dst=2607:f740:b::f93, exts=[]], udp = [sport=51851/udp, dport=53/udp, ulen=82]
ip6=[class=0, flow=0, len=3238, nxt=17, hlim=53, src=2607:f740:b::f93, dst=2001:470:1f11:81f:d138:5f55:6d4:1fe2, exts=[]], udp = [sport=53/udp, dport=51851/udp, ulen=3238]

120
testing/btest/Baseline/core.ipv6_esp/output Normal file
View file

@ -0,0 +1,120 @@
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]

1
testing/btest/Baseline/core.ipv6_ext_headers/output Normal file
View file

@ -0,0 +1 @@
[ip=<uninitialized>, ip6=[class=0, flow=0, len=59, nxt=0, hlim=64, src=2001:4f8:4:7:2e0:81ff:fe52:ffff, dst=2001:4f8:4:7:2e0:81ff:fe52:9a6b, exts=[[id=0, hopopts=[nxt=43, len=0, options=[[otype=1, len=4, data=\0\0\0\0]]], dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>], [id=43, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=[nxt=17, len=4, rtype=0, segleft=2, data=\0\0\0\0 ^A\0x\0^A\02\0\0\0\0\0\0\0^A ^A\0x\0^A\02\0\0\0\0\0\0\0^B], fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>]]], tcp=<uninitialized>, udp=[sport=53/udp, dport=53/udp, ulen=11], icmp=<uninitialized>]

4
testing/btest/Makefile
View file

@ -6,13 +6,13 @@ all: cleanup btest-verbose coverage
# Showing all tests.
btest-verbose:
@$(BTEST) -f $(DIAG)
@$(BTEST) -j 5 -f $(DIAG)
brief: cleanup btest-brief coverage
# Brief output showing only failed tests.
btest-brief:
@$(BTEST) -b -f $(DIAG)
@$(BTEST) -j 5 -b -f $(DIAG)
coverage:
@../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts

BIN
testing/btest/Traces/ext_hdr_hbh_routing.trace Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/icmp-unreach.trace Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/ip6_esp.trace Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/ipv6-fragmented-dns.trace Executable file
View file

Binary file not shown.

13
testing/btest/bifs/install_src_addr_filter.test Normal file
View file

@ -0,0 +1,13 @@
# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT >output
# @TEST-EXEC: btest-diff output
event bro_init()
{
install_src_addr_filter(141.142.220.118, TH_SYN, 100.0);
}
event new_packet(c: connection, p: pkt_hdr)
{
if ( p?$tcp && p$ip$src == 141.142.220.118 )
print c$id;
}

10
testing/btest/bifs/routing0_data_to_addrs.test Normal file
View file

@ -0,0 +1,10 @@
# @TEST-EXEC: bro -C -b -r $TRACES/ext_hdr_hbh_routing.trace %INPUT >output
# @TEST-EXEC: btest-diff output
event ipv6_ext_headers(c: connection, p: pkt_hdr)
{
for ( h in p$ip6$exts )
if ( p$ip6$exts[h]$id == IPPROTO_ROUTING )
if ( p$ip6$exts[h]$routing$rtype == 0 )
print routing0_data_to_addrs(p$ip6$exts[h]$routing$data);
}

92
testing/btest/core/discarder.bro Normal file
View file

@ -0,0 +1,92 @@
# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-ip.bro >output
# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-tcp.bro >>output
# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-udp.bro >>output
# @TEST-EXEC: bro -C -r $TRACES/icmp-unreach.trace discarder-icmp.bro >>output
# @TEST-EXEC: btest-diff output
@TEST-START-FILE discarder-ip.bro
event bro_init()
{
print "################ IP Discarder ################";
}
function discarder_check_ip(p: pkt_hdr): bool
{
if ( p?$ip && p$ip$src == 141.142.220.118 && p$ip$dst == 208.80.152.2 )
return F;
return T;
}
event new_packet(c: connection, p: pkt_hdr)
{
print c$id;
}
@TEST-END-FILE
@TEST-START-FILE discarder-tcp.bro
event bro_init()
{
print "################ TCP Discarder ################";
}
function discarder_check_tcp(p: pkt_hdr, d: string): bool
{
if ( p$tcp$flags == TH_SYN )
return F;
return T;
}
event new_packet(c: connection, p: pkt_hdr)
{
if ( p?$tcp )
print c$id;
}
@TEST-END-FILE
@TEST-START-FILE discarder-udp.bro
event bro_init()
{
print "################ UDP Discarder ################";
}
function discarder_check_udp(p: pkt_hdr, d: string): bool
{
if ( p?$ip6 )
return F;
return T;
}
event new_packet(c: connection, p: pkt_hdr)
{
if ( p?$udp )
print c$id;
}
@TEST-END-FILE
@TEST-START-FILE discarder-icmp.bro
event bro_init()
{
print "################ ICMP Discarder ################";
}
function discarder_check_icmp(p: pkt_hdr): bool
{
print fmt("Discard icmp packet: %s", p$icmp);
return T;
}
event new_packet(c: connection, p: pkt_hdr)
{
if ( p?$icmp )
print c$id;
}
@TEST-END-FILE

9
testing/btest/core/ipv6-frag.test Normal file
View file

@ -0,0 +1,9 @@
# @TEST-EXEC: bro -r $TRACES/ipv6-fragmented-dns.trace %INPUT >output
# @TEST-EXEC: btest-diff output
# @TEST-EXEC: btest-diff dns.log
event new_packet(c: connection, p: pkt_hdr)
{
if ( p?$ip6 && p?$ udp )
print fmt("ip6=%s, udp = %s", p$ip6, p$udp);
}

10
testing/btest/core/ipv6_esp.test Normal file
View file

@ -0,0 +1,10 @@
# @TEST-EXEC: bro -r $TRACES/ip6_esp.trace %INPUT >output
# @TEST-EXEC: btest-diff output
# Just check that the event is raised correctly for a packet containing
# ESP extension headers.
event esp_packet(p: pkt_hdr)
{
print p;
}

10
testing/btest/core/ipv6_ext_headers.test Normal file
View file

@ -0,0 +1,10 @@
# @TEST-EXEC: bro -C -b -r $TRACES/ext_hdr_hbh_routing.trace %INPUT >output
# @TEST-EXEC: btest-diff output
# Just check that the event is raised correctly for a packet containing
# extension headers.
event ipv6_ext_headers(c: connection, p: pkt_hdr)
{
print p;
}