Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 01:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/topic/jsiwek/tcp-improvements'

Browse source 
* origin/topic/jsiwek/tcp-improvements:
  Add script to detect filtered TCP traces, addresses BIT-1119.

BIT-1119 #merged

If we could only disable an event handler dynamically ...
This commit is contained in:
Robin Sommer 2014-02-04 09:25:04 -08:00
commit 126fbb6ba9
8 changed files with 59 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

5
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
#open 2013-10-30-16-52-28
#open 2014-01-31-22-54-38
#fields name
#types string
scripts/base/init-bare.bro
@ -220,5 +220,6 @@ scripts/base/init-default.bro
scripts/base/files/unified2/__load__.bro
scripts/base/files/unified2/main.bro
scripts/base/misc/find-checksum-offloading.bro
scripts/base/misc/find-filtered-trace.bro
scripts/policy/misc/loaded-scripts.bro
#close 2013-10-30-16-52-28
#close 2014-01-31-22-54-38

1
testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 Normal file
View file

@ -0,0 +1 @@
1389719059.311687 warning in /Users/jsiwek/Projects/bro/bro/scripts/base/misc/find-filtered-trace.bro, line 48: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.

0
testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out2 Normal file
View file

BIN
testing/btest/Traces/http/bro.org-filtered.pcap Normal file
View file

Binary file not shown.

4
testing/btest/scripts/base/misc/find-filtered-trace.test Normal file
View file

@ -0,0 +1,4 @@
# @TEST-EXEC: bro -r $TRACES/http/bro.org-filtered.pcap >out1 2>&1
# @TEST-EXEC: bro -r $TRACES/http/bro.org-filtered.pcap "FilteredTraceDetection::enable=F" >out2 2>&1
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out1
# @TEST-EXEC: btest-diff out2