Add script to detect filtered TCP traces, addresses BIT-1119.

If reading a trace file w/ only TCP control packets, a warning is
emitted to suggest the 'detect_filtered_traces' option if the user
doesn't desire Bro to report missing TCP segments for such a trace file.

scripts/base/init-default.bro

@@ -60,3 +60,4 @@
 
 
 @load base/misc/find-checksum-offloading
+@load base/misc/find-filtered-trace

scripts/base/misc/find-filtered-trace.bro

@@ -0,0 +1,49 @@
+##! Discovers trace files that contain TCP traffic consisting only of
+##! control packets (e.g. it's been filtered to contain only SYN/FIN/RST
+##! packets and no content).  On finding such a trace, a warning is
+##! emitted that suggests toggling the :bro:see:`detect_filtered_trace`
+##! option may be desired if the user does not want Bro to report
+##! missing TCP segments.
+
+module FilteredTraceDetection;
+
+export {
+
+	## Flag to enable filtered trace file detection and warning message.
+	global enable: bool = T &redef;
+}
+
+global saw_tcp_conn_with_data: bool = F;
+global saw_a_tcp_conn: bool = F;
+
+event connection_state_remove(c: connection)
+	{
+	if ( ! reading_traces() )
+		return;
+
+	if ( ! enable )
+		return;
+
+	if ( saw_tcp_conn_with_data )
+		return;
+
+	if ( ! is_tcp_port(c$id$orig_p) )
+		return;
+
+	saw_a_tcp_conn = T;
+
+	if ( /[Dd]/ in c$history )
+		saw_tcp_conn_with_data = T;
+	}
+
+event bro_done()
+	{
+	if ( ! enable )
+		return;
+
+	if ( ! saw_a_tcp_conn )
+		return;
+
+	if ( ! saw_tcp_conn_with_data )
+		Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.");
+	}

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-10-30-16-52-28
+#open	2014-01-31-22-54-38
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -220,5 +220,6 @@ scripts/base/init-default.bro
   scripts/base/files/unified2/__load__.bro
     scripts/base/files/unified2/main.bro
   scripts/base/misc/find-checksum-offloading.bro
+  scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2013-10-30-16-52-28
+#close	2014-01-31-22-54-38

testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1

@@ -0,0 +1 @@
+1389719059.311687 warning in /Users/jsiwek/Projects/bro/bro/scripts/base/misc/find-filtered-trace.bro, line 48: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.

testing/btest/scripts/base/misc/find-filtered-trace.test

@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/http/bro.org-filtered.pcap >out1 2>&1
+# @TEST-EXEC: bro -r $TRACES/http/bro.org-filtered.pcap "FilteredTraceDetection::enable=F" >out2 2>&1
+# @TEST-EXEC: TEST_DIFF_CANOIFIER=$SCRIPTS/diff-remove-abspath btest-diff out1
+# @TEST-EXEC: btest-diff out2