GH-618: add "tcp_options" event containing TCP option values

testing/btest/Baseline/core.tcp.options/out

@@ -3,14 +3,48 @@
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 8, 10
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 1, 1
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 3, 3
+[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T
+  kind: 2, length: 4
+    mss: 1460
+  kind: 4, length: 2
+    sack permitted
+  kind: 8, length: 10
+    send ts: 4294923497
+    echo ts: 0
+  kind: 1, length: 1
+  kind: 3, length: 3
+    window scale: 6
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], F, 2, 4
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], F, 4, 2
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], F, 8, 10
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], F, 1, 1
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], F, 3, 3
+[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], F
+  kind: 2, length: 4
+    mss: 1380
+  kind: 4, length: 2
+    sack permitted
+  kind: 8, length: 10
+    send ts: 419445911
+    echo ts: 4294923497
+  kind: 1, length: 1
+  kind: 3, length: 3
+    window scale: 7
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 1, 1
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 1, 1
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 8, 10
+[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T
+  kind: 1, length: 1
+  kind: 1, length: 1
+  kind: 8, length: 10
+    send ts: 4294923545
+    echo ts: 419445911
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 1, 1
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 1, 1
 [orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 8, 10
+[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T
+  kind: 1, length: 1
+  kind: 1, length: 1
+  kind: 8, length: 10
+    send ts: 4294923545
+    echo ts: 419445911

testing/btest/Baseline/core.tcp.options/out-sack

@@ -0,0 +1,24 @@
+[orig_h=127.0.0.1, orig_p=20/tcp, resp_h=127.0.0.1, resp_p=80/tcp], T, 5, 10
+[orig_h=127.0.0.1, orig_p=20/tcp, resp_h=127.0.0.1, resp_p=80/tcp], T, 0, 1
+[orig_h=127.0.0.1, orig_p=20/tcp, resp_h=127.0.0.1, resp_p=80/tcp], T
+  kind: 5, length: 10
+    sack: [1, 16]
+  kind: 0, length: 1
+[orig_h=127.0.0.1, orig_p=20/tcp, resp_h=127.0.0.1, resp_p=80/tcp], T, 5, 18
+[orig_h=127.0.0.1, orig_p=20/tcp, resp_h=127.0.0.1, resp_p=80/tcp], T, 0, 1
+[orig_h=127.0.0.1, orig_p=20/tcp, resp_h=127.0.0.1, resp_p=80/tcp], T
+  kind: 5, length: 18
+    sack: [1, 16, 256, 4096]
+  kind: 0, length: 1
+[orig_h=127.0.0.1, orig_p=20/tcp, resp_h=127.0.0.1, resp_p=80/tcp], T, 5, 26
+[orig_h=127.0.0.1, orig_p=20/tcp, resp_h=127.0.0.1, resp_p=80/tcp], T, 0, 1
+[orig_h=127.0.0.1, orig_p=20/tcp, resp_h=127.0.0.1, resp_p=80/tcp], T
+  kind: 5, length: 26
+    sack: [1, 16, 256, 4096, 65536, 1048576]
+  kind: 0, length: 1
+[orig_h=127.0.0.1, orig_p=20/tcp, resp_h=127.0.0.1, resp_p=80/tcp], T, 5, 34
+[orig_h=127.0.0.1, orig_p=20/tcp, resp_h=127.0.0.1, resp_p=80/tcp], T, 0, 1
+[orig_h=127.0.0.1, orig_p=20/tcp, resp_h=127.0.0.1, resp_p=80/tcp], T
+  kind: 5, length: 34
+    sack: [1, 16, 256, 4096, 65536, 1048576, 16777216, 268435456]
+  kind: 0, length: 1

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -154,6 +154,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_SteppingStone.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -154,6 +154,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_SteppingStone.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek

testing/btest/Baseline/plugins.hooks/output

@@ -274,7 +274,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1565053246.404549, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1570153649.029308, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -455,7 +455,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1565053246.404549, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1570153649.029308, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -679,6 +679,7 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Syslog.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_TCP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_TCP.functions.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_TCP.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Teredo.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_UDP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Unified2.events.bif.zeek) -> -1
@@ -1169,7 +1170,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1565053246.404549, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1570153649.029308, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1350,7 +1351,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1565053246.404549, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1570153649.029308, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1574,6 +1575,7 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Syslog.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_TCP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_TCP.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_TCP.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Teredo.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_UDP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Unified2.events.bif.zeek)
@@ -2063,7 +2065,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1565053246.404549, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1570153649.029308, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -2244,7 +2246,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1565053246.404549, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1570153649.029308, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2468,6 +2470,7 @@
 0.000000 | HookLoadFile  .<...>/Zeek_Syslog.events.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_TCP.events.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_TCP.functions.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_TCP.types.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_Teredo.events.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_UDP.events.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_Unified2.events.bif.zeek
@@ -2678,7 +2681,7 @@
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLoadFile  base<...>/zeek.bif.zeek
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1565053246.404549, node=zeek, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1570153649.029308, node=zeek, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent filter_change_tracking()
 0.000000 | HookQueueEvent zeek_init()

testing/btest/core/tcp/options.zeek

@@ -1,7 +1,44 @@
 # @TEST-EXEC: zeek -b -r $TRACES/tcp/options.pcap %INPUT > out
+# @TEST-EXEC: zeek -b -r $TRACES/tcp/option-sack.pcap %INPUT > out-sack
 # @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff out-sack
 
 event tcp_option(c: connection, is_orig: bool, opt: count, optlen: count)
 	{
 	print c$id, is_orig, opt, optlen;
 	}
+
+event tcp_options(c: connection, is_orig: bool, options: TCP::OptionList)
+	{
+	print c$id, is_orig;
+
+	for ( i in options )
+		{
+		local o = options[i];
+		print fmt("  kind: %s, length: %s", o$kind, o$length);
+
+		if ( o?$data )
+			print fmt("    data (%s): %s", |o$data|, o$data);
+		else
+			{
+			switch ( o$kind ) {
+			case 2:
+				print fmt("    mss: %s", o$mss);
+				break;
+			case 3:
+				print fmt("    window scale: %s", o$window_scale);
+				break;
+			case 4:
+				print fmt("    sack permitted");
+				break;
+			case 5:
+				print fmt("    sack: %s", o$sack);
+				break;
+			case 8:
+				print fmt("    send ts: %s", o$send_timestamp);
+				print fmt("    echo ts: %s", o$echo_timestamp);
+				break;
+			}
+			}
+		}
+	}