Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'master' into topic/robin/log-threads

Browse source 
Conflicts:
	cmake
This commit is contained in:
Jon Siwek 2012-03-30 12:02:32 -05:00
commit 256c0af98e
77 changed files with 1987 additions and 729 deletions
Download patch file Download diff file Expand all files Collapse all files

95
CHANGES
View file

@ -1,4 +1,99 @@
2.0-184 | 2012-03-28 15:11:11 -0700
* Improve handling of IPv6 Routing Type 0 headers. (Jon Siwek)
- For RH0 headers with non-zero segments left, a
"routing0_segleft" flow_weird event is raised (with a
destination indicating the last address in the routing header),
and an "rh0_segleft" event can also be handled if the other
contents of the packet header are of interest. No further
analysis is done as the complexity required to correctly
identify destination endpoints of connections doesn't seem worth
it as RH0 has been deprecated by RFC 5095.
- For RH0 headers without any segments left, a "routing0_header"
flow_weird event is raised, but further analysis still occurs as
normal.
2.0-182 | 2012-03-28 15:01:57 -0700
* Remove dead tcp_checksum function from net_util. (Jon Siwek)
* Change routing0_data_to_addrs BIF to return vector of addresses.
The order of addresses in type 0 routing headers is
interesting/important. (Jon Siwek)
2.0-179 | 2012-03-23 17:43:31 -0700
* Remove the default "tcp or udp or icmp" filter. In default mode,
Bro would load the packet filter script framework which installs a
filter that allows all packets, but in bare mode (the -b option),
this old filter would not follow IPv6 protocol chains and thus
filter out packets with extension headers. (Jon Siwek)
* Update PacketFilter/Discarder code for IP version independence.
(Jon Siwek)
* Fix some IPv6 header related bugs. (Jon Siwek)
* Add IPv6 fragment reassembly. (Jon Siwek)
* Add handling for IPv6 extension header chains. Addresses #531.
(Jon Siwek)
- The script-layer 'pkt_hdr' type is extended with a new 'ip6' field
representing the full IPv6 header chain.
- The 'new_packet' event is now raised for IPv6 packets. Addresses
#523.
- A new event called 'ipv6_ext_header' is raised for any IPv6
packet containing extension headers.
- A new event called 'esp_packet' is raised for any packets using
ESP ('new_packet' and 'ipv6_ext_header' events provide
connection info, but that info can't be provided here since the
upper-layer payload is encrypted).
- The 'unknown_protocol' weird is now raised more reliably when
Bro sees a transport protocol or IPv6 extension header it can't
handle. Addresses #522.
* Add unit tests for IPv6 fragment reassembly, ipv6_ext_headers and
esp_packet events. (Jon Siwek)
* Adapt FreeBSD's inet_ntop implementation for internal use. Now we
get consistent text representations of IPv6 addresses across
platforms. (Jon Siwek)
* Update documentation for new syntax of IPv6 literals. (Jon Siwek)
2.0-150 | 2012-03-13 16:16:22 -0700
* Changing the regular expression to allow Site::local_nets in
signatures. (Julien Sentier)
* Removing a line of dead code. Found by . Closes #786. (Julien
Sentier)
2.0-146 | 2012-03-13 15:39:38 -0700
* Change IPv6 literal constant syntax to require encasing square
brackets. (Jon Siwek)
2.0-145 | 2012-03-09 15:10:35 -0800
* Remove the match expression. 'match' and 'using' are no longer
keywords. Addressed #753. (Jon Siwek)
2.0-143 | 2012-03-09 15:07:42 -0800
* Fix a BRO_PROFILER_FILE/mkstemp portability issue. Addresses #794.
(Jon Siwek)
2.0-139 | 2012-03-02 09:33:04 -0800
* Changes to how script coverage integrates with test suites. (Jon Siwek)

7
NEWS
View file

@ -24,6 +24,13 @@ Bro 2.1
- The connection compressor was already deprecated in 2.0 and has now
been removed from the code base.
- We removed the "match" statement, which was no longer used by any of
the default scripts, nor was it likely to be used by anybody anytime
soon. With that, "match" and "using" are no longer reserved keywords.
- The syntax for IPv6 literals changed from "2607:f8b0:4009:802::1012"
to "[2607:f8b0:4009:802::1012]".
TODO: Extend.
Bro 2.0

2
VERSION
View file

@ -1 +1 @@
2.0-139
2.0-184

2
aux/binpac

@ -1 +1 @@
Subproject commit 3034da8f082b61157e234237993ffd7a95be6e62
Subproject commit dd1a3a95f07082efcd5274b21104a038d523d132

2
aux/bro-aux

@ -1 +1 @@
Subproject commit f53bcb2b492cb0db3dd288384040abc2ab711767
Subproject commit a59b35bdada8f70fb1a59bf7bb2976534c86d378

2
aux/broccoli

@ -1 +1 @@
Subproject commit 2602eb53e70d7f0afae8fac58d7636b9291974a4
Subproject commit a4046c2f79b6ab0ac19ae8be94b79c6ce578bea7

2
aux/broctl

@ -1 +1 @@
Subproject commit 954538514d71983e7ef3f0e109960466096e1c1d
Subproject commit c86b7e990b4d39cd48c0cb692077aa081b418149

2
aux/btest

@ -1 +1 @@
Subproject commit ee87db37b520b88a55323a9767234c30b801e439
Subproject commit c8e8fe477b5dec635e5ce00f3f764fad069c549c

2
cmake

@ -1 +1 @@
Subproject commit 4b573ed849f131ebb8e34fa24786d56f9805e444
Subproject commit 550ab2c8d95b1d3e18e40a903152650e6c7a3c45

8
doc/scripts/builtins.rst
View file

@ -162,7 +162,11 @@ The Bro scripting language supports the following built-in types.
``A1.A2.A3.A4``, where Ai all lie between 0 and 255.
IPv6 address constants are written as colon-separated hexadecimal form
as described by :rfc:`2373`.
as described by :rfc:`2373`, but additionally encased in square brackets.
The mixed notation with embedded IPv4 addresses as dotted-quads in the
lower 32 bits is also allowed.
Some examples: ``[2001:db8::1]``, ``[::ffff:192.168.1.100]``, or
``[aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222]``.
Hostname constants can also be used, but since a hostname can
correspond to multiple IP addresses, the type of such variable is a
@ -196,7 +200,7 @@ The Bro scripting language supports the following built-in types.
A type representing a block of IP addresses in CIDR notation. A
``subnet`` constant is written as an :bro:type:`addr` followed by a
slash (/) and then the network prefix size specified as a decimal
number. For example, ``192.168.0.0/16``.
number. For example, ``192.168.0.0/16`` or ``[fe80::]/64``.
.. bro:type:: any

187
scripts/base/init-bare.bro
View file

@ -46,6 +46,13 @@ type index_vec: vector of count;
## then remove this alias.
type string_vec: vector of string;
## A vector of addresses.
##
## .. todo:: We need this type definition only for declaring builtin functions via
## ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
## then remove this alias.
type addr_vec: vector of addr;
## A table of strings indexed by strings.
##
## .. todo:: We need this type definition only for declaring builtin functions via
@ -939,12 +946,162 @@ const IPPROTO_IGMP = 2; ##< Group management protocol.
const IPPROTO_IPIP = 4; ##< IP encapsulation in IP.
const IPPROTO_TCP = 6; ##< TCP.
const IPPROTO_UDP = 17; ##< User datagram protocol.
const IPPROTO_IPV6 = 41; ##< IPv6 header.
const IPPROTO_RAW = 255; ##< Raw IP packet.
## Values extracted from an IP header.
# Definitions for IPv6 extension headers.
const IPPROTO_HOPOPTS = 0; ##< IPv6 hop-by-hop-options header.
const IPPROTO_ROUTING = 43; ##< IPv6 routing header.
const IPPROTO_FRAGMENT = 44; ##< IPv6 fragment header.
const IPPROTO_ESP = 50; ##< IPv6 encapsulating security payload header.
const IPPROTO_AH = 51; ##< IPv6 authentication header.
const IPPROTO_NONE = 59; ##< IPv6 no next header.
const IPPROTO_DSTOPTS = 60; ##< IPv6 destination options header.
## Values extracted from an IPv6 extension header's (e.g. hop-by-hop or
## destination option headers) option field.
##
## .. bro:see:: pkt_hdr discarder_check_ip
type ip_hdr: record {
## .. bro:see:: ip6_hdr ip6_hdr_chain ip6_hopopts ip6_dstopts
type ip6_option: record {
otype: count; ##< Option type.
len: count; ##< Option data length.
data: string; ##< Option data.
};
## Values extracted from an IPv6 Hop-by-Hop options extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain ip6_option
type ip6_hopopts: record {
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
## number), e.g. :bro:id:`IPPROTO_ICMP`.
nxt: count;
## Length of header in 8-octet units, excluding first unit.
len: count;
## The TLV encoded options;
options: vector of ip6_option;
};
## Values extracted from an IPv6 Destination options extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain ip6_option
type ip6_dstopts: record {
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
## number), e.g. :bro:id:`IPPROTO_ICMP`.
nxt: count;
## Length of header in 8-octet units, excluding first unit.
len: count;
## The TLV encoded options;
options: vector of ip6_option;
};
## Values extracted from an IPv6 Routing extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain
type ip6_routing: record {
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
## number), e.g. :bro:id:`IPPROTO_ICMP`.
nxt: count;
## Length of header in 8-octet units, excluding first unit.
len: count;
## Routing type.
rtype: count;
## Segments left.
segleft: count;
## Type-specific data.
data: string;
};
## Values extracted from an IPv6 Fragment extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain
type ip6_fragment: record {
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
## number), e.g. :bro:id:`IPPROTO_ICMP`.
nxt: count;
## 8-bit reserved field.
rsv1: count;
## Fragmentation offset.
offset: count;
## 2-bit reserved field.
rsv2: count;
## More fragments.
more: bool;
## Fragment identification.
id: count;
};
## Values extracted from an IPv6 Authentication extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain
type ip6_ah: record {
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
## number), e.g. :bro:id:`IPPROTO_ICMP`.
nxt: count;
## Length of header in 4-octet units, excluding first two units.
len: count;
## Reserved field.
rsv: count;
## Security Parameter Index.
spi: count;
## Sequence number.
seq: count;
## Authentication data.
data: string;
};
## Values extracted from an IPv6 ESP extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain
type ip6_esp: record {
## Security Parameters Index.
spi: count;
## Sequence number.
seq: count;
};
## A general container for a more specific IPv6 extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hopopts ip6_dstopts ip6_routing ip6_fragment
## ip6_ah ip6_esp
type ip6_ext_hdr: record {
## The RFC 1700 et seq. IANA assigned number identifying the type of
## the extension header.
id: count;
## Hop-by-hop option extension header.
hopopts: ip6_hopopts &optional;
## Destination option extension header.
dstopts: ip6_dstopts &optional;
## Routing extension header.
routing: ip6_routing &optional;
## Fragment header.
fragment: ip6_fragment &optional;
## Authentication extension header.
ah: ip6_ah &optional;
## Encapsulating security payload header.
esp: ip6_esp &optional;
};
## Values extracted from an IPv6 header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr_chain ip6_hopopts ip6_dstopts
## ip6_routing ip6_fragment ip6_ah ip6_esp
type ip6_hdr: record {
class: count; ##< Traffic class.
flow: count; ##< Flow label.
len: count; ##< Payload length.
nxt: count; ##< Protocol number of the next header
##< (RFC 1700 et seq., IANA assigned number)
##< e.g. :bro:id:`IPPROTO_ICMP`.
hlim: count; ##< Hop limit.
src: addr; ##< Source address.
dst: addr; ##< Destination address.
exts: vector of ip6_ext_hdr; ##< Extension header chain.
};
## Values extracted from an IPv4 header.
##
## .. bro:see:: pkt_hdr ip6_hdr discarder_check_ip
type ip4_hdr: record {
hl: count; ##< Header length in bytes.
tos: count; ##< Type of service.
len: count; ##< Total length.
@ -1000,7 +1157,8 @@ type icmp_hdr: record {
##
## .. bro:see:: new_packet
type pkt_hdr: record {
ip: ip_hdr; ##< The IP header.
ip: ip4_hdr &optional; ##< The IPv4 header if an IPv4 packet.
ip6: ip6_hdr &optional; ##< The IPv6 header if an IPv6 packet.
tcp: tcp_hdr &optional; ##< The TCP header if a TCP packet.
udp: udp_hdr &optional; ##< The UDP header if a UDP packet.
icmp: icmp_hdr &optional; ##< The ICMP header if an ICMP packet.
@ -1023,7 +1181,7 @@ global discarder_maxlen = 128 &redef;
## analysis. If the function signals to discard a packet, no further processing
## will be performed on it.
##
## i: The IP header of the considered packet.
## p: The IP header of the considered packet.
##
## Returns: True if the packet should not be analyzed any further.
##
@ -1032,15 +1190,15 @@ global discarder_maxlen = 128 &redef;
##
## .. note:: This is very low-level functionality and potentially expensive.
## Avoid using it.
global discarder_check_ip: function(i: ip_hdr): bool;
global discarder_check_ip: function(p: pkt_hdr): bool;
## Function for skipping packets based on their TCP header. If defined, this
## function will be called for all TCP packets before Bro performs any further
## analysis. If the function signals to discard a packet, no further processing
## will be performed on it.
##
## i: The IP header of the considered packet.
## t: The TCP header.
## p: The IP and TCP headers of the considered packet.
##
## d: Up to :bro:see:`discarder_maxlen` bytes of the TCP payload.
##
## Returns: True if the packet should not be analyzed any further.
@ -1050,15 +1208,15 @@ global discarder_check_ip: function(i: ip_hdr): bool;
##
## .. note:: This is very low-level functionality and potentially expensive.
## Avoid using it.
global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool;
global discarder_check_tcp: function(p: pkt_hdr, d: string): bool;
## Function for skipping packets based on their UDP header. If defined, this
## function will be called for all UDP packets before Bro performs any further
## analysis. If the function signals to discard a packet, no further processing
## will be performed on it.
##
## i: The IP header of the considered packet.
## t: The UDP header.
## p: The IP and UDP headers of the considered packet.
##
## d: Up to :bro:see:`discarder_maxlen` bytes of the UDP payload.
##
## Returns: True if the packet should not be analyzed any further.
@ -1068,15 +1226,14 @@ global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool;
##
## .. note:: This is very low-level functionality and potentially expensive.
## Avoid using it.
global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
global discarder_check_udp: function(p: pkt_hdr, d: string): bool;
## Function for skipping packets based on their ICMP header. If defined, this
## function will be called for all ICMP packets before Bro performs any further
## analysis. If the function signals to discard a packet, no further processing
## will be performed on it.
##
## i: The IP header of the considered packet.
## ih: The ICMP header.
## p: The IP and ICMP headers of the considered packet.
##
## Returns: True if the packet should not be analyzed any further.
##
@ -1085,7 +1242,7 @@ global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
##
## .. note:: This is very low-level functionality and potentially expensive.
## Avoid using it.
global discarder_check_icmp: function(i: ip_hdr, ih: icmp_hdr): bool;
global discarder_check_icmp: function(p: pkt_hdr): bool;
## Bro's watchdog interval.
const watchdog_interval = 10 sec &redef;

2
scripts/base/protocols/ftp/main.bro
View file

@ -275,7 +275,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
{
c$ftp$passive=T;
if ( code == 229 && data$h == :: )
if ( code == 229 && data$h == [::] )
data$h = id$resp_h;
ftp_data_expected[data$h, data$p] = c$ftp;

2
src/CMakeLists.txt
View file

@ -332,6 +332,7 @@ set(bro_SRCS
IntSet.cc
InterConn.cc
IOSource.cc
IP.cc
IPAddr.cc
IRC.cc
List.cc
@ -400,6 +401,7 @@ set(bro_SRCS
XDR.cc
ZIP.cc
bsd-getopt-long.c
bro_inet_ntop.c
cq.c
md5.c
patricia.c

83
src/Discard.cc
View file

@ -10,11 +10,6 @@
Discarder::Discarder()
{
ip_hdr = internal_type("ip_hdr")->AsRecordType();
tcp_hdr = internal_type("tcp_hdr")->AsRecordType();
udp_hdr = internal_type("udp_hdr")->AsRecordType();
icmp_hdr = internal_type("icmp_hdr")->AsRecordType();
check_ip = internal_func("discarder_check_ip");
check_tcp = internal_func("discarder_check_tcp");
check_udp = internal_func("discarder_check_udp");
@ -36,12 +31,10 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
{
int discard_packet = 0;
const struct ip* ip4 = ip->IP4_Hdr();
if ( check_ip )
{
val_list* args = new val_list;
args->append(BuildHeader(ip4));
args->append(ip->BuildPktHdrVal());
try
{
@ -59,19 +52,18 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
return discard_packet;
}
int proto = ip4->ip_p;
int proto = ip->NextProto();
if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP &&
proto != IPPROTO_ICMP )
// This is not a protocol we understand.
return 0;
// XXX shall we only check the first packet???
uint32 frag_field = ntohs(ip4->ip_off);
if ( (frag_field & 0x3fff) != 0 )
if ( ip->IsFragment() )
// Never check any fragment.
return 0;
int ip_hdr_len = ip4->ip_hl * 4;
int ip_hdr_len = ip->HdrLen();
len -= ip_hdr_len; // remove IP header
caplen -= ip_hdr_len;
@ -87,7 +79,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
// Where the data starts - if this is a protocol we know about,
// this gets advanced past the transport header.
const u_char* data = ((u_char*) ip4 + ip_hdr_len);
const u_char* data = ip->Payload();
if ( is_tcp )
{
@ -97,8 +89,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
int th_len = tp->th_off * 4;
val_list* args = new val_list;
args->append(BuildHeader(ip4));
args->append(BuildHeader(tp, len));
args->append(ip->BuildPktHdrVal());
args->append(BuildData(data, th_len, len, caplen));
try
@ -123,8 +114,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
int uh_len = sizeof (struct udphdr);
val_list* args = new val_list;
args->append(BuildHeader(ip4));
args->append(BuildHeader(up));
args->append(ip->BuildPktHdrVal());
args->append(BuildData(data, uh_len, len, caplen));
try
@ -148,8 +138,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
const struct icmp* ih = (const struct icmp*) data;
val_list* args = new val_list;
args->append(BuildHeader(ip4));
args->append(BuildHeader(ih));
args->append(ip->BuildPktHdrVal());
try
{
@ -168,62 +157,6 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
return discard_packet;
}
Val* Discarder::BuildHeader(const struct ip* ip)
{
RecordVal* hdr = new RecordVal(ip_hdr);
hdr->Assign(0, new Val(ip->ip_hl * 4, TYPE_COUNT));
hdr->Assign(1, new Val(ip->ip_tos, TYPE_COUNT));
hdr->Assign(2, new Val(ntohs(ip->ip_len), TYPE_COUNT));
hdr->Assign(3, new Val(ntohs(ip->ip_id), TYPE_COUNT));
hdr->Assign(4, new Val(ip->ip_ttl, TYPE_COUNT));
hdr->Assign(5, new Val(ip->ip_p, TYPE_COUNT));
hdr->Assign(6, new AddrVal(ip->ip_src.s_addr));
hdr->Assign(7, new AddrVal(ip->ip_dst.s_addr));
return hdr;
}
Val* Discarder::BuildHeader(const struct tcphdr* tp, int tcp_len)
{
RecordVal* hdr = new RecordVal(tcp_hdr);
hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
int tcp_hdr_len = tp->th_off * 4;
hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
hdr->Assign(5, new Val(tcp_len - tcp_hdr_len, TYPE_COUNT));
hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
return hdr;
}
Val* Discarder::BuildHeader(const struct udphdr* up)
{
RecordVal* hdr = new RecordVal(udp_hdr);
hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
return hdr;
}
Val* Discarder::BuildHeader(const struct icmp* icmp)
{
RecordVal* hdr = new RecordVal(icmp_hdr);
hdr->Assign(0, new Val(icmp->icmp_type, TYPE_COUNT));
return hdr;
}
Val* Discarder::BuildData(const u_char* data, int hdrlen, int len, int caplen)
{
len -= hdrlen;

9
src/Discard.h
View file

@ -25,17 +25,8 @@ public:
int NextPacket(const IP_Hdr* ip, int len, int caplen);
protected:
Val* BuildHeader(const struct ip* ip);
Val* BuildHeader(const struct tcphdr* tp, int tcp_len);
Val* BuildHeader(const struct udphdr* up);
Val* BuildHeader(const struct icmp* icmp);
Val* BuildData(const u_char* data, int hdrlen, int len, int caplen);
RecordType* ip_hdr;
RecordType* tcp_hdr;
RecordType* udp_hdr;
RecordType* icmp_hdr;
Func* check_ip;
Func* check_tcp;
Func* check_udp;

145
src/Expr.cc
View file

@ -3633,151 +3633,6 @@ bool FieldAssignExpr::DoUnserialize(UnserialInfo* info)
return true;
}
RecordMatchExpr::RecordMatchExpr(Expr* op1 /* record to match */,
Expr* op2 /* cases to match against */)
: BinaryExpr(EXPR_MATCH, op1, op2)
{
BroType* result_type = 0;
// Make sure the second argument is of a suitable type.
if ( ! op2->Type()->IsSet() )
{
ExprError("matching must be done against a set of match records");
return;
}
type_list* elt_types = op2->Type()->AsSetType()->Indices()->Types();
if ( ! elt_types->length() ||
(*elt_types)[0]->Tag() != TYPE_RECORD )
{
ExprError("matching must be done against a set of match records");
return;
}
RecordType* case_rec_type = (*elt_types)[0]->AsRecordType();
// NOTE: The "result" and "pred" field names are hardcoded here.
result_field_index = case_rec_type->FieldOffset("result");
if ( result_field_index < 0 )
{
ExprError("match records must have a $result field");
return;
}
result_type = case_rec_type->FieldType("result")->Ref();
// Check that pred exists, and that the first argument matches it.
if ( (pred_field_index = case_rec_type->FieldOffset("pred")) < 0 ||
case_rec_type->FieldType("pred")->Tag() != TYPE_FUNC )
{
ExprError("match records must have a $pred' field of function type");
return;
}
FuncType* pred_type = case_rec_type->FieldType("pred")->AsFuncType();
type_list* pred_arg_types = pred_type->ArgTypes()->Types();
if ( pred_arg_types->length() != 1 ||
! check_and_promote_expr(op1, (*pred_arg_types)[0]) )
ExprError("record to match does not have the same type as predicate argument");
// NOTE: The "priority" field name is hardcoded here.
if ( (priority_field_index = case_rec_type->FieldOffset("priority")) >= 0 &&
! IsArithmetic(case_rec_type->FieldType("priority")->Tag()) )
ExprError("$priority field must have a numeric type");
SetType(result_type);
}
void RecordMatchExpr::ExprDescribe(ODesc* d) const
{
if ( d->IsReadable() )
{
d->Add("match ");
op1->Describe(d);
d->Add(" using ");
op2->Describe(d);
}
}
Val* RecordMatchExpr::Fold(Val* v1, Val* v2) const
{
TableVal* match_set = v2->AsTableVal();
if ( ! match_set )
Internal("non-table in RecordMatchExpr");
Val* return_val = 0;
double highest_priority = -1e100;
ListVal* match_recs = match_set->ConvertToList(TYPE_ANY);
for ( int i = 0; i < match_recs->Length(); ++i )
{
val_list args(1);
args.append(v1->Ref());
double this_priority = 0;
// ### Get rid of the double Index if TYPE_ANY->TYPE_RECORD.
Val* v = match_recs->Index(i)->AsListVal()->Index(0);
const RecordVal* match_rec = v->AsRecordVal();
if ( ! match_rec )
Internal("Element of match set is not a record");
if ( priority_field_index >= 0 )
{
this_priority =
match_rec->Lookup(priority_field_index)->CoerceToDouble();
if ( this_priority <= highest_priority )
{
Unref(v1);
continue;
}
}
// No try/catch here; we pass exceptions upstream.
Val* pred_val =
match_rec->Lookup(pred_field_index)->AsFunc()->Call(&args);
bool is_zero = pred_val->IsZero();
Unref(pred_val);
if ( ! is_zero )
{
Val* new_return_val =
match_rec->Lookup(result_field_index);
Unref(return_val);
return_val = new_return_val->Ref();
if ( priority_field_index >= 0 )
highest_priority = this_priority;
else
break;
}
}
Unref(match_recs);
return return_val;
}
IMPLEMENT_SERIAL(RecordMatchExpr, SER_RECORD_MATCH_EXPR);
bool RecordMatchExpr::DoSerialize(SerialInfo* info) const
{
DO_SERIALIZE(SER_RECORD_MATCH_EXPR, BinaryExpr);
return SERIALIZE(pred_field_index) && SERIALIZE(result_field_index) &&
SERIALIZE(priority_field_index);
}
bool RecordMatchExpr::DoUnserialize(UnserialInfo* info)
{
DO_UNSERIALIZE(BinaryExpr);
return UNSERIALIZE(&pred_field_index) && UNSERIALIZE(&result_field_index) &&
UNSERIALIZE(&priority_field_index);
}
ArithCoerceExpr::ArithCoerceExpr(Expr* arg_op, TypeTag t)
: UnaryExpr(EXPR_ARITH_COERCE, arg_op)
{

26
src/Expr.h
View file

@ -823,32 +823,6 @@ protected:
string field_name;
};
class RecordMatchExpr : public BinaryExpr {
public:
RecordMatchExpr(Expr* op1 /* record to match */,
Expr* op2 /* cases to match against */);
protected:
friend class Expr;
RecordMatchExpr()
{
pred_field_index = result_field_index =
priority_field_index = 0;
}
virtual Val* Fold(Val* v1, Val* v2) const;
void ExprDescribe(ODesc*) const;
DECLARE_SERIAL(RecordMatchExpr);
// The following are used to hold the field offset of
// $pred, $result, $priority, so the names only need to
// be looked up at compile-time.
int pred_field_index;
int result_field_index;
int priority_field_index;
};
class ArithCoerceExpr : public UnaryExpr {
public:
ArithCoerceExpr(Expr* op, TypeTag t);

72
src/Frag.cc
View file

@ -27,21 +27,32 @@ void FragTimer::Dispatch(double t, int /* is_expire */)
FragReassembler::FragReassembler(NetSessions* arg_s,
const IP_Hdr* ip, const u_char* pkt,
uint32 frag_field, HashKey* k, double t)
HashKey* k, double t)
: Reassembler(0, ip->DstAddr(), REASSEM_IP)
{
s = arg_s;
key = k;
const struct ip* ip4 = ip->IP4_Hdr();
proto_hdr_len = ip4->ip_hl * 4;
proto_hdr = (struct ip*) new u_char[64]; // max IP header + slop
if ( ip4 )
{
proto_hdr_len = ip->HdrLen();
proto_hdr = new u_char[64]; // max IP header + slop
// Don't do a structure copy - need to pick up options, too.
memcpy((void*) proto_hdr, (const void*) ip4, proto_hdr_len);
}
else
{
proto_hdr_len = ip->HdrLen() - 8; // minus length of fragment header
proto_hdr = new u_char[proto_hdr_len];
memcpy(proto_hdr, ip->IP6_Hdr(), proto_hdr_len);
}
reassembled_pkt = 0;
frag_size = 0; // flag meaning "not known"
next_proto = ip->NextProto();
AddFragment(t, ip, pkt, frag_field);
AddFragment(t, ip, pkt);
if ( frag_timeout != 0.0 )
{
@ -60,28 +71,42 @@ FragReassembler::~FragReassembler()
delete key;
}
void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt,
uint32 frag_field)
void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt)
{
const struct ip* ip4 = ip->IP4_Hdr();
if ( ip4->ip_p != proto_hdr->ip_p || ip4->ip_hl != proto_hdr->ip_hl )
if ( ip4 )
{
if ( ip4->ip_p != ((const struct ip*)proto_hdr)->ip_p ||
ip4->ip_hl != ((const struct ip*)proto_hdr)->ip_hl )
// || ip4->ip_tos != proto_hdr->ip_tos
// don't check TOS, there's at least one stack that actually
// uses different values, and it's hard to see an associated
// attack.
s->Weird("fragment_protocol_inconsistency", ip);
}
else
{
if ( ip->NextProto() != next_proto ||
ip->HdrLen() - 8 != proto_hdr_len )
s->Weird("fragment_protocol_inconsistency", ip);
// TODO: more detailed unfrag header consistency checks?
}
if ( frag_field & 0x4000 )
if ( ip->DF() )
// Linux MTU discovery for UDP can do this, for example.
s->Weird("fragment_with_DF", ip);
int offset = (ntohs(ip4->ip_off) & 0x1fff) * 8;
int len = ntohs(ip4->ip_len);
int hdr_len = proto_hdr->ip_hl * 4;
int offset = ip->FragOffset();
int len = ip->TotalLen();
int hdr_len = ip->HdrLen();
int upper_seq = offset + len - hdr_len;
if ( (frag_field & 0x2000) == 0 )
if ( ! offset )
// Make sure to use the first fragment header's next field.
next_proto = ip->NextProto();
if ( ! ip->MF() )
{
// Last fragment.
if ( frag_size == 0 )
@ -193,8 +218,7 @@ void FragReassembler::BlockInserted(DataBlock* /* start_block */)
u_char* pkt = new u_char[n];
memcpy((void*) pkt, (const void*) proto_hdr, proto_hdr_len);
struct ip* reassem4 = (struct ip*) pkt;
reassem4->ip_len = htons(frag_size + proto_hdr_len);
u_char* pkt_start = pkt;
pkt += proto_hdr_len;
@ -214,7 +238,27 @@ void FragReassembler::BlockInserted(DataBlock* /* start_block */)
}
delete reassembled_pkt;
if ( ((const struct ip*)pkt_start)->ip_v == 4 )
{
struct ip* reassem4 = (struct ip*) pkt_start;
reassem4->ip_len = htons(frag_size + proto_hdr_len);
reassembled_pkt = new IP_Hdr(reassem4, true);
}
else if ( ((const struct ip*)pkt_start)->ip_v == 6 )
{
struct ip6_hdr* reassem6 = (struct ip6_hdr*) pkt_start;
reassem6->ip6_plen = htons(frag_size + proto_hdr_len - 40);
const IPv6_Hdr_Chain* chain = new IPv6_Hdr_Chain(reassem6, next_proto);
reassembled_pkt = new IP_Hdr(reassem6, true, chain);
}
else
{
reporter->InternalError("bad IP version in fragment reassembly");
}
DeleteTimer();
}

8
src/Frag.h
View file

@ -20,11 +20,10 @@ typedef void (FragReassembler::*frag_timer_func)(double t);
class FragReassembler : public Reassembler {
public:
FragReassembler(NetSessions* s, const IP_Hdr* ip, const u_char* pkt,
uint32 frag_field, HashKey* k, double t);
HashKey* k, double t);
~FragReassembler();
void AddFragment(double t, const IP_Hdr* ip, const u_char* pkt,
uint32 frag_field);
void AddFragment(double t, const IP_Hdr* ip, const u_char* pkt);
void Expire(double t);
void DeleteTimer();
@ -37,11 +36,12 @@ protected:
void BlockInserted(DataBlock* start_block);
void Overlap(const u_char* b1, const u_char* b2, int n);
struct ip* proto_hdr;
u_char* proto_hdr;
IP_Hdr* reassembled_pkt;
int proto_hdr_len;
NetSessions* s;
int frag_size; // size of fully reassembled fragment
uint16 next_proto; // first IPv6 fragment header's next proto field
HashKey* key;
FragTimer* expire_timer;

382
src/IP.cc Normal file
View file

@ -0,0 +1,382 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "IP.h"
#include "Type.h"
#include "Val.h"
#include "Var.h"
static RecordType* ip4_hdr_type = 0;
static RecordType* ip6_hdr_type = 0;
static RecordType* ip6_ext_hdr_type = 0;
static RecordType* ip6_option_type = 0;
static RecordType* ip6_hopopts_type = 0;
static RecordType* ip6_dstopts_type = 0;
static RecordType* ip6_routing_type = 0;
static RecordType* ip6_fragment_type = 0;
static RecordType* ip6_ah_type = 0;
static RecordType* ip6_esp_type = 0;
static inline RecordType* hdrType(RecordType*& type, const char* name)
{
if ( ! type )
type = internal_type(name)->AsRecordType();
return type;
}
static VectorVal* BuildOptionsVal(const u_char* data, uint16 len)
{
VectorVal* vv = new VectorVal(new VectorType(
hdrType(ip6_option_type, "ip6_option")->Ref()));
while ( len > 0 )
{
const struct ip6_opt* opt = (const struct ip6_opt*) data;
RecordVal* rv = new RecordVal(ip6_option_type);
rv->Assign(0, new Val(opt->ip6o_type, TYPE_COUNT));
if ( opt->ip6o_type == 0 )
{
// Pad1 option
rv->Assign(1, new Val(0, TYPE_COUNT));
rv->Assign(2, new StringVal(""));
data += sizeof(uint8);
len -= sizeof(uint8);
}
else
{
// PadN or other option
uint16 off = 2 * sizeof(uint8);
rv->Assign(1, new Val(opt->ip6o_len, TYPE_COUNT));
rv->Assign(2, new StringVal(
new BroString(data + off, opt->ip6o_len, 1)));
data += opt->ip6o_len + off;
len -= opt->ip6o_len + off;
}
vv->Assign(vv->Size(), rv, 0);
}
return vv;
}
RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
RecordVal* rv = 0;
switch ( type ) {
case IPPROTO_IPV6:
{
rv = new RecordVal(hdrType(ip6_hdr_type, "ip6_hdr"));
const struct ip6_hdr* ip6 = (const struct ip6_hdr*)data;
rv->Assign(0, new Val((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20, TYPE_COUNT));
rv->Assign(1, new Val(ntohl(ip6->ip6_flow) & 0x000fffff, TYPE_COUNT));
rv->Assign(2, new Val(ntohs(ip6->ip6_plen), TYPE_COUNT));
rv->Assign(3, new Val(ip6->ip6_nxt, TYPE_COUNT));
rv->Assign(4, new Val(ip6->ip6_hlim, TYPE_COUNT));
rv->Assign(5, new AddrVal(ip6->ip6_src));
rv->Assign(6, new AddrVal(ip6->ip6_dst));
if ( ! chain )
chain = new VectorVal(new VectorType(
hdrType(ip6_ext_hdr_type, "ip6_ext_hdr")->Ref()));
rv->Assign(7, chain);
}
break;
case IPPROTO_HOPOPTS:
{
rv = new RecordVal(hdrType(ip6_hopopts_type, "ip6_hopopts"));
const struct ip6_hbh* hbh = (const struct ip6_hbh*)data;
rv->Assign(0, new Val(hbh->ip6h_nxt, TYPE_COUNT));
rv->Assign(1, new Val(hbh->ip6h_len, TYPE_COUNT));
uint16 off = 2 * sizeof(uint8);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
}
break;
case IPPROTO_DSTOPTS:
{
rv = new RecordVal(hdrType(ip6_dstopts_type, "ip6_dstopts"));
const struct ip6_dest* dst = (const struct ip6_dest*)data;
rv->Assign(0, new Val(dst->ip6d_nxt, TYPE_COUNT));
rv->Assign(1, new Val(dst->ip6d_len, TYPE_COUNT));
uint16 off = 2 * sizeof(uint8);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
}
break;
case IPPROTO_ROUTING:
{
rv = new RecordVal(hdrType(ip6_routing_type, "ip6_routing"));
const struct ip6_rthdr* rt = (const struct ip6_rthdr*)data;
rv->Assign(0, new Val(rt->ip6r_nxt, TYPE_COUNT));
rv->Assign(1, new Val(rt->ip6r_len, TYPE_COUNT));
rv->Assign(2, new Val(rt->ip6r_type, TYPE_COUNT));
rv->Assign(3, new Val(rt->ip6r_segleft, TYPE_COUNT));
uint16 off = 4 * sizeof(uint8);
rv->Assign(4, new StringVal(new BroString(data + off, Length() - off, 1)));
}
break;
case IPPROTO_FRAGMENT:
{
rv = new RecordVal(hdrType(ip6_fragment_type, "ip6_fragment"));
const struct ip6_frag* frag = (const struct ip6_frag*)data;
rv->Assign(0, new Val(frag->ip6f_nxt, TYPE_COUNT));
rv->Assign(1, new Val(frag->ip6f_reserved, TYPE_COUNT));
rv->Assign(2, new Val((ntohs(frag->ip6f_offlg) & 0xfff8)>>3, TYPE_COUNT));
rv->Assign(3, new Val((ntohs(frag->ip6f_offlg) & 0x0006)>>1, TYPE_COUNT));
rv->Assign(4, new Val(ntohs(frag->ip6f_offlg) & 0x0001, TYPE_BOOL));
rv->Assign(5, new Val(ntohl(frag->ip6f_ident), TYPE_COUNT));
}
break;
case IPPROTO_AH:
{
rv = new RecordVal(hdrType(ip6_ah_type, "ip6_ah"));
rv->Assign(0, new Val(((ip6_ext*)data)->ip6e_nxt, TYPE_COUNT));
rv->Assign(1, new Val(((ip6_ext*)data)->ip6e_len, TYPE_COUNT));
rv->Assign(2, new Val(ntohs(((uint16*)data)[1]), TYPE_COUNT));
rv->Assign(3, new Val(ntohl(((uint32*)data)[1]), TYPE_COUNT));
rv->Assign(4, new Val(ntohl(((uint32*)data)[2]), TYPE_COUNT));
uint16 off = 3 * sizeof(uint32);
rv->Assign(5, new StringVal(new BroString(data + off, Length() - off, 1)));
}
break;
case IPPROTO_ESP:
{
rv = new RecordVal(hdrType(ip6_esp_type, "ip6_esp"));
const uint32* esp = (const uint32*)data;
rv->Assign(0, new Val(ntohl(esp[0]), TYPE_COUNT));
rv->Assign(1, new Val(ntohl(esp[1]), TYPE_COUNT));
}
break;
default:
break;
}
return rv;
}
RecordVal* IP_Hdr::BuildIPHdrVal() const
{
RecordVal* rval = 0;
if ( ip4 )
{
rval = new RecordVal(hdrType(ip4_hdr_type, "ip4_hdr"));
rval->Assign(0, new Val(ip4->ip_hl * 4, TYPE_COUNT));
rval->Assign(1, new Val(ip4->ip_tos, TYPE_COUNT));
rval->Assign(2, new Val(ntohs(ip4->ip_len), TYPE_COUNT));
rval->Assign(3, new Val(ntohs(ip4->ip_id), TYPE_COUNT));
rval->Assign(4, new Val(ip4->ip_ttl, TYPE_COUNT));
rval->Assign(5, new Val(ip4->ip_p, TYPE_COUNT));
rval->Assign(6, new AddrVal(ip4->ip_src.s_addr));
rval->Assign(7, new AddrVal(ip4->ip_dst.s_addr));
}
else
{
rval = ((*ip6_hdrs)[0])->BuildRecordVal(ip6_hdrs->BuildVal());
}
return rval;
}
RecordVal* IP_Hdr::BuildPktHdrVal() const
{
static RecordType* pkt_hdr_type = 0;
static RecordType* tcp_hdr_type = 0;
static RecordType* udp_hdr_type = 0;
static RecordType* icmp_hdr_type = 0;
if ( ! pkt_hdr_type )
{
pkt_hdr_type = internal_type("pkt_hdr")->AsRecordType();
tcp_hdr_type = internal_type("tcp_hdr")->AsRecordType();
udp_hdr_type = internal_type("udp_hdr")->AsRecordType();
icmp_hdr_type = internal_type("icmp_hdr")->AsRecordType();
}
RecordVal* pkt_hdr = new RecordVal(pkt_hdr_type);
if ( ip4 )
pkt_hdr->Assign(0, BuildIPHdrVal());
else
pkt_hdr->Assign(1, BuildIPHdrVal());
// L4 header.
const u_char* data = Payload();
int proto = NextProto();
switch ( proto ) {
case IPPROTO_TCP:
{
const struct tcphdr* tp = (const struct tcphdr*) data;
RecordVal* tcp_hdr = new RecordVal(tcp_hdr_type);
int tcp_hdr_len = tp->th_off * 4;
int data_len = PayloadLen() - tcp_hdr_len;
tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
tcp_hdr->Assign(5, new Val(data_len, TYPE_COUNT));
tcp_hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
tcp_hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
pkt_hdr->Assign(2, tcp_hdr);
break;
}
case IPPROTO_UDP:
{
const struct udphdr* up = (const struct udphdr*) data;
RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
pkt_hdr->Assign(3, udp_hdr);
break;
}
case IPPROTO_ICMP:
{
const struct icmp* icmpp = (const struct icmp *) data;
RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
icmp_hdr->Assign(0, new Val(icmpp->icmp_type, TYPE_COUNT));
pkt_hdr->Assign(4, icmp_hdr);
break;
}
default:
{
// This is not a protocol we understand.
break;
}
}
return pkt_hdr;
}
static inline bool isIPv6ExtHeader(uint8 type)
{
switch (type) {
case IPPROTO_HOPOPTS:
case IPPROTO_ROUTING:
case IPPROTO_DSTOPTS:
case IPPROTO_FRAGMENT:
case IPPROTO_AH:
case IPPROTO_ESP:
return true;
default:
return false;
}
}
void IPv6_Hdr_Chain::Init(const struct ip6_hdr* ip6, bool set_next, uint16 next)
{
length = 0;
uint8 current_type, next_type;
next_type = IPPROTO_IPV6;
const u_char* hdrs = (const u_char*) ip6;
do
{
current_type = next_type;
IPv6_Hdr* p = new IPv6_Hdr(current_type, hdrs);
next_type = p->NextHdr();
uint16 len = p->Length();
if ( set_next && next_type == IPPROTO_FRAGMENT )
{
p->ChangeNext(next);
next_type = next;
}
chain.push_back(p);
// RFC 5095 deprecates routing type 0 headers, so raise weirds for that.
if ( current_type == IPPROTO_ROUTING &&
((const struct ip6_rthdr*)hdrs)->ip6r_type == 0 )
{
IPAddr src(((const struct ip6_hdr*)(chain[0]->Data()))->ip6_src);
if ( ((const struct ip6_rthdr*)hdrs)->ip6r_segleft > 0 )
{
const in6_addr* a = (const in6_addr*)(hdrs+len-16);
reporter->Weird(src, *a, "routing0_segleft");
}
else
{
IPAddr dst(((const struct ip6_hdr*)(chain[0]->Data()))->ip6_dst);
reporter->Weird(src, dst, "routing0_header");
}
}
hdrs += len;
length += len;
} while ( current_type != IPPROTO_FRAGMENT &&
current_type != IPPROTO_ESP &&
isIPv6ExtHeader(next_type) );
}
VectorVal* IPv6_Hdr_Chain::BuildVal() const
{
if ( ! ip6_ext_hdr_type )
{
ip6_ext_hdr_type = internal_type("ip6_ext_hdr")->AsRecordType();
ip6_hopopts_type = internal_type("ip6_hopopts")->AsRecordType();
ip6_dstopts_type = internal_type("ip6_dstopts")->AsRecordType();
ip6_routing_type = internal_type("ip6_routing")->AsRecordType();
ip6_fragment_type = internal_type("ip6_fragment")->AsRecordType();
ip6_ah_type = internal_type("ip6_ah")->AsRecordType();
ip6_esp_type = internal_type("ip6_esp")->AsRecordType();
}
VectorVal* rval = new VectorVal(new VectorType(ip6_ext_hdr_type->Ref()));
for ( size_t i = 1; i < chain.size(); ++i )
{
RecordVal* v = chain[i]->BuildRecordVal();
RecordVal* ext_hdr = new RecordVal(ip6_ext_hdr_type);
uint8 type = chain[i]->Type();
ext_hdr->Assign(0, new Val(type, TYPE_COUNT));
switch (type) {
case IPPROTO_HOPOPTS:
ext_hdr->Assign(1, v);
break;
case IPPROTO_DSTOPTS:
ext_hdr->Assign(2, v);
break;
case IPPROTO_ROUTING:
ext_hdr->Assign(3, v);
break;
case IPPROTO_FRAGMENT:
ext_hdr->Assign(4, v);
break;
case IPPROTO_AH:
ext_hdr->Assign(5, v);
break;
case IPPROTO_ESP:
ext_hdr->Assign(6, v);
break;
default:
reporter->InternalError("IPv6_Hdr_Chain bad header %d", type);
break;
}
rval->Assign(rval->Size(), ext_hdr, 0);
}
return rval;
}

345
src/IP.h
View file

@ -4,23 +4,248 @@
#define ip_h
#include "config.h"
#include "net_util.h"
#include "IPAddr.h"
#include <net_util.h>
#include "Reporter.h"
#include "Val.h"
#include "Type.h"
#include <vector>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
/**
* Base class for IPv6 header/extensions.
*/
class IPv6_Hdr {
public:
/**
* Construct an IPv6 header or extension header from assigned type number.
*/
IPv6_Hdr(uint8 t, const u_char* d) : type(t), data(d) {}
/**
* Replace the value of the next protocol field.
*/
void ChangeNext(uint8 next_type)
{
switch ( type ) {
case IPPROTO_IPV6:
((ip6_hdr*)data)->ip6_nxt = next_type;
break;
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
case IPPROTO_ROUTING:
case IPPROTO_FRAGMENT:
case IPPROTO_AH:
((ip6_ext*)data)->ip6e_nxt = next_type;
break;
case IPPROTO_ESP:
default:
break;
}
}
~IPv6_Hdr() {}
/**
* Returns the assigned IPv6 extension header type number of the header
* that immediately follows this one.
*/
uint8 NextHdr() const
{
switch ( type ) {
case IPPROTO_IPV6:
return ((ip6_hdr*)data)->ip6_nxt;
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
case IPPROTO_ROUTING:
case IPPROTO_FRAGMENT:
case IPPROTO_AH:
return ((ip6_ext*)data)->ip6e_nxt;
case IPPROTO_ESP:
default:
return IPPROTO_NONE;
}
}
/**
* Returns the length of the header in bytes.
*/
uint16 Length() const
{
switch ( type ) {
case IPPROTO_IPV6:
return 40;
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
case IPPROTO_ROUTING:
return 8 + 8 * ((ip6_ext*)data)->ip6e_len;
case IPPROTO_FRAGMENT:
return 8;
case IPPROTO_AH:
return 8 + 4 * ((ip6_ext*)data)->ip6e_len;
case IPPROTO_ESP:
return 8; //encrypted payload begins after 8 bytes
default:
return 0;
}
}
/**
* Returns the RFC 1700 et seq. IANA assigned number for the header.
*/
uint8 Type() const { return type; }
/**
* Returns pointer to the start of where header structure resides in memory.
*/
const u_char* Data() const { return data; }
/**
* Returns the script-layer record representation of the header.
*/
RecordVal* BuildRecordVal(VectorVal* chain = 0) const;
protected:
uint8 type;
const u_char* data;
};
class IPv6_Hdr_Chain {
public:
/**
* Initializes the header chain from an IPv6 header structure.
*/
IPv6_Hdr_Chain(const struct ip6_hdr* ip6) { Init(ip6, false); }
~IPv6_Hdr_Chain()
{ for ( size_t i = 0; i < chain.size(); ++i ) delete chain[i]; }
/**
* Returns the number of headers in the chain.
*/
size_t Size() const { return chain.size(); }
/**
* Returns the sum of the length of all headers in the chain in bytes.
*/
uint16 TotalLength() const { return length; }
/**
* Accesses the header at the given location in the chain.
*/
const IPv6_Hdr* operator[](const size_t i) const { return chain[i]; }
/**
* Returns whether the header chain indicates a fragmented packet.
*/
bool IsFragment() const
{ return chain[chain.size()-1]->Type() == IPPROTO_FRAGMENT; }
/**
* Returns pointer to fragment header structure if the chain contains one.
*/
const struct ip6_frag* GetFragHdr() const
{ return IsFragment() ?
(const struct ip6_frag*)chain[chain.size()-1]->Data(): 0; }
/**
* If the header chain is a fragment, returns the offset in number of bytes
* relative to the start of the Fragmentable Part of the original packet.
*/
uint16 FragOffset() const
{ return IsFragment() ?
(ntohs(GetFragHdr()->ip6f_offlg) & 0xfff8) : 0; }
/**
* If the header chain is a fragment, returns the identification field.
*/
uint32 ID() const
{ return IsFragment() ? ntohl(GetFragHdr()->ip6f_ident) : 0; }
/**
* If the header chain is a fragment, returns the M (more fragments) flag.
*/
int MF() const
{ return IsFragment() ?
(ntohs(GetFragHdr()->ip6f_offlg) & 0x0001) != 0 : 0; }
/**
* Returns whether the chain contains a routing type 0 extension header
* with nonzero segments left.
*/
bool RH0SegLeft() const
{
for ( size_t i = 0; i < chain.size(); ++i )
if ( chain[i]->Type() == IPPROTO_ROUTING &&
((const struct ip6_rthdr*)chain[i]->Data())->ip6r_type == 0 &&
((const struct ip6_rthdr*)chain[i]->Data())->ip6r_segleft > 0 )
return true;
return false;
}
/**
* Returns a vector of ip6_ext_hdr RecordVals that includes script-layer
* representation of all extension headers in the chain.
*/
VectorVal* BuildVal() const;
protected:
// for access to protected ctor that changes next header values that
// point to a fragment
friend class FragReassembler;
/**
* Initializes the header chain from an IPv6 header structure, and replaces
* the first next protocol pointer field that points to a fragment header.
*/
IPv6_Hdr_Chain(const struct ip6_hdr* ip6, uint16 next)
{ Init(ip6, true, next); }
void Init(const struct ip6_hdr* ip6, bool set_next, uint16 next = 0);
vector<IPv6_Hdr*> chain;
uint16 length; // The summation of all header lengths in the chain in bytes.
};
class IP_Hdr {
public:
IP_Hdr(const u_char* p, bool arg_del)
: ip4(0), ip6(0), del(arg_del), ip6_hdrs(0)
{
if ( ((const struct ip*)p)->ip_v == 4 )
ip4 = (const struct ip*)p;
else if ( ((const struct ip*)p)->ip_v == 6 )
{
ip6 = (const struct ip6_hdr*)p;
ip6_hdrs = new IPv6_Hdr_Chain(ip6);
}
else
{
if ( arg_del )
delete [] p;
reporter->InternalError("bad IP version in IP_Hdr ctor");
}
}
IP_Hdr(const struct ip* arg_ip4, bool arg_del)
: ip4(arg_ip4), ip6(0), del(arg_del)
: ip4(arg_ip4), ip6(0), del(arg_del), ip6_hdrs(0)
{
}
IP_Hdr(const struct ip6_hdr* arg_ip6, bool arg_del)
: ip4(0), ip6(arg_ip6), del(arg_del)
IP_Hdr(const struct ip6_hdr* arg_ip6, bool arg_del,
const IPv6_Hdr_Chain* c = 0)
: ip4(0), ip6(arg_ip6), del(arg_del),
ip6_hdrs(c ? c : new IPv6_Hdr_Chain(ip6))
{
}
~IP_Hdr()
{
if ( ip6 )
delete ip6_hdrs;
if ( del )
{
if ( ip4 )
@ -31,56 +256,130 @@ public:
}
const struct ip* IP4_Hdr() const { return ip4; }
const struct ip6_hdr* IP6_Hdr() const { return ip6; }
IPAddr SrcAddr() const
{ return ip4 ? IPAddr(ip4->ip_src) : IPAddr(ip6->ip6_src); }
IPAddr DstAddr() const
{ return ip4 ? IPAddr(ip4->ip_dst) : IPAddr(ip6->ip6_dst); }
//TODO: needs adapting/replacement for IPv6 support
uint16 ID4() const { return ip4 ? ip4->ip_id : 0; }
/**
* Returns a pointer to the payload of the IP packet, usually an
* upper-layer protocol.
*/
const u_char* Payload() const
{
if ( ip4 )
return ((const u_char*) ip4) + ip4->ip_hl * 4;
else
return ((const u_char*) ip6) + 40;
return ((const u_char*) ip6) + ip6_hdrs->TotalLength();
}
/**
* Returns the length of the IP packet's payload (length of packet minus
* header length or, for IPv6, also minus length of all extension headers).
*/
uint16 PayloadLen() const
{
if ( ip4 )
return ntohs(ip4->ip_len) - ip4->ip_hl * 4;
else
return ntohs(ip6->ip6_plen);
return ntohs(ip6->ip6_plen) + 40 - ip6_hdrs->TotalLength();
}
uint16 TotalLen() const
{
if ( ip4 )
return ntohs(ip4->ip_len);
else
return ntohs(ip6->ip6_plen) + 40;
}
/**
* Returns the length of the IP packet (length of headers and payload).
*/
uint32 TotalLen() const
{ return ip4 ? ntohs(ip4->ip_len) : ntohs(ip6->ip6_plen) + 40; }
uint16 HdrLen() const { return ip4 ? ip4->ip_hl * 4 : 40; }
/**
* Returns length of IP packet header (includes extension headers for IPv6).
*/
uint16 HdrLen() const
{ return ip4 ? ip4->ip_hl * 4 : ip6_hdrs->TotalLength(); }
/**
* For IPv6 header chains, returns the type of the last header in the chain.
*/
uint8 LastHeader() const
{ return ip4 ? IPPROTO_RAW :
((*ip6_hdrs)[ip6_hdrs->Size()-1])->Type(); }
/**
* Returns the protocol type of the IP packet's payload, usually an
* upper-layer protocol. For IPv6, this returns the last (extension)
* header's Next Header value.
*/
unsigned char NextProto() const
{ return ip4 ? ip4->ip_p : ip6->ip6_nxt; }
{ return ip4 ? ip4->ip_p :
((*ip6_hdrs)[ip6_hdrs->Size()-1])->NextHdr(); }
unsigned char TTL() const
{ return ip4 ? ip4->ip_ttl : ip6->ip6_hlim; }
uint16 FragField() const
{ return ntohs(ip4 ? ip4->ip_off : 0); }
bool IsFragment() const
{ return ip4 ? (ntohs(ip4->ip_off) & 0x3fff) != 0 :
ip6_hdrs->IsFragment(); }
/**
* Returns the fragment packet's offset in relation to the original
* packet in bytes.
*/
uint16 FragOffset() const
{ return ip4 ? (ntohs(ip4->ip_off) & 0x1fff) * 8 :
ip6_hdrs->FragOffset(); }
/**
* Returns the fragment packet's identification field.
*/
uint32 ID() const
{ return ip4 ? ntohs(ip4->ip_id) : ip6_hdrs->ID(); }
/**
* Returns whether a fragment packet's "More Fragments" field is set.
*/
int MF() const
{ return ip4 ? (ntohs(ip4->ip_off) & 0x2000) != 0 : ip6_hdrs->MF(); }
/**
* Returns whether a fragment packet's "Don't Fragment" field is set.
* Note that IPv6 has no such field.
*/
int DF() const
{ return ip4 ? ((ntohs(ip4->ip_off) & IP_DF) != 0) : 0; }
uint16 IP_ID() const
{ return ip4 ? (ntohs(ip4->ip_id)) : 0; }
{ return ip4 ? ((ntohs(ip4->ip_off) & 0x4000) != 0) : 0; }
/**
* Returns number of IP headers in packet (includes IPv6 extension headers).
*/
size_t NumHeaders() const
{ return ip4 ? 1 : ip6_hdrs->Size(); }
/**
* Returns true if this is an IPv6 header containing a routing type 0
* extension with nonzero segments left, else returns false.
*/
bool RH0SegLeft() const
{ return ip4 ? false : ip6_hdrs->RH0SegLeft(); }
/**
* Returns an ip_hdr or ip6_hdr_chain RecordVal.
*/
RecordVal* BuildIPHdrVal() const;
/**
* Returns a pkt_hdr RecordVal, which includes not only the IP header, but
* also upper-layer (tcp/udp/icmp) headers.
*/
RecordVal* BuildPktHdrVal() const;
private:
const struct ip* ip4;
const struct ip6_hdr* ip6;
bool del;
const IPv6_Hdr_Chain* ip6_hdrs;
};
#endif

5
src/IPAddr.cc
View file

@ -6,6 +6,7 @@
#include "Reporter.h"
#include "Conn.h"
#include "DPM.h"
#include "bro_inet_ntop.h"
const uint8_t IPAddr::v4_mapped_prefix[12] = { 0, 0, 0, 0,
0, 0, 0, 0,
@ -159,7 +160,7 @@ string IPAddr::AsString() const
{
char s[INET_ADDRSTRLEN];
if ( inet_ntop(AF_INET, &in6.s6_addr[12], s, INET_ADDRSTRLEN) == NULL )
if ( ! bro_inet_ntop(AF_INET, &in6.s6_addr[12], s, INET_ADDRSTRLEN) )
return "<bad IPv4 address conversion";
else
return s;
@ -168,7 +169,7 @@ string IPAddr::AsString() const
{
char s[INET6_ADDRSTRLEN];
if ( inet_ntop(AF_INET6, in6.s6_addr, s, INET6_ADDRSTRLEN) == NULL )
if ( ! bro_inet_ntop(AF_INET6, in6.s6_addr, s, INET6_ADDRSTRLEN) )
return "<bad IPv6 address conversion";
else
return s;

1
src/Net.cc
View file

@ -42,7 +42,6 @@ extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
PList(PktSrc) pkt_srcs;
// FIXME: We should really merge PktDumper and PacketDumper.
// It's on my to-do [Robin].
PktDumper* pkt_dumper = 0;
int reading_live = 0;

7
src/PacketFilter.cc
View file

@ -71,9 +71,7 @@ bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
if ( ip.NextProto() == IPPROTO_TCP && f.tcp_flags )
{
// Caution! The packet sanity checks have not been performed yet
const struct ip* ip4 = ip.IP4_Hdr();
int ip_hdr_len = ip4->ip_hl * 4;
int ip_hdr_len = ip.HdrLen();
len -= ip_hdr_len; // remove IP header
caplen -= ip_hdr_len;
@ -82,8 +80,7 @@ bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
// Packet too short, will be dropped anyway.
return false;
const struct tcphdr* tp =
(const struct tcphdr*) ((u_char*) ip4 + ip_hdr_len);
const struct tcphdr* tp = (const struct tcphdr*) ip.Payload();
if ( tp->th_flags & f.tcp_flags )
// At least one of the flags is set, so don't drop

7
src/PacketSort.cc
View file

@ -28,12 +28,15 @@ PacketSortElement::PacketSortElement(PktSrc* arg_src,
const struct ip* ip = (const struct ip*) (pkt + hdr_size);
if ( ip->ip_v == 4 )
ip_hdr = new IP_Hdr(ip, false);
else
else if ( ip->ip_v == 6 )
ip_hdr = new IP_Hdr((const struct ip6_hdr*) ip, false);
else
// Weird will be generated later in NetSessions::NextPacket.
return;
if ( ip_hdr->NextProto() == IPPROTO_TCP &&
// Note: can't sort fragmented packets
(ip_hdr->FragField() & 0x3fff) == 0 )
( ! ip_hdr->IsFragment() ) )
{
tcp_offset = hdr_size + ip_hdr->HdrLen();
if ( caplen >= tcp_offset + sizeof(struct tcphdr) )

3
src/RemoteSerializer.cc
View file

@ -187,6 +187,7 @@
#include "threading/SerialTypes.h"
#include "logging/Manager.h"
#include "IPAddr.h"
#include "bro_inet_ntop.h"
extern "C" {
#include "setsignal.h"
@ -465,7 +466,7 @@ static inline const char* ip2a(uint32 ip)
addr.s_addr = htonl(ip);
return inet_ntop(AF_INET, &addr, buffer, 32);
return bro_inet_ntop(AF_INET, &addr, buffer, 32);
}
static pid_t child_pid = 0;

1
src/SMTP.cc
View file

@ -352,7 +352,6 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
const char* ext;
int ext_len;
line = skip_whitespace(line + ext_len, end_of_line);
get_word(end_of_line - line, line, ext_len, ext);
ProcessExtension(ext_len, ext);
}

2
src/SerialTypes.h
View file

@ -125,7 +125,7 @@ SERIAL_EXPR(FIELD_EXPR, 22)
SERIAL_EXPR(HAS_FIELD_EXPR, 23)
SERIAL_EXPR(RECORD_CONSTRUCTOR_EXPR, 24)
SERIAL_EXPR(FIELD_ASSIGN_EXPR, 25)
SERIAL_EXPR(RECORD_MATCH_EXPR, 26)
// There used to be a SERIAL_EXPR(RECORD_MATCH_EXPR, 26) here
SERIAL_EXPR(ARITH_COERCE_EXPR, 27)
SERIAL_EXPR(RECORD_COERCE_EXPR, 28)
SERIAL_EXPR(FLATTEN_EXPR, 29)

2
src/Serializer.h
View file

@ -125,7 +125,7 @@ protected:
// This will be increased whenever there is an incompatible change
// in the data format.
static const uint32 DATA_FORMAT_VERSION = 21;
static const uint32 DATA_FORMAT_VERSION = 22;
ChunkedIO* io;

209
src/Sessions.cc
View file

@ -332,7 +332,8 @@ void NetSessions::NextPacketSecondary(double /* t */, const struct pcap_pkthdr*
StringVal* cmd_val =
new StringVal(sp->Event()->Filter());
args->append(cmd_val);
args->append(BuildHeader(ip));
IP_Hdr ip_hdr(ip, false);
args->append(ip_hdr.BuildPktHdrVal());
// ### Need to queue event here.
try
{
@ -400,18 +401,6 @@ int NetSessions::CheckConnectionTag(Connection* conn)
return 1;
}
static bool looks_like_IPv4_packet(int len, const struct ip* ip_hdr)
{
if ( (unsigned int) len < sizeof(struct ip) )
return false;
if ( ip_hdr->ip_v == 4 && ntohs(ip_hdr->ip_len) == len )
return true;
else
return false;
}
void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
const IP_Hdr* ip_hdr, const u_char* const pkt,
int hdr_size)
@ -441,18 +430,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
if ( discarder && discarder->NextPacket(ip_hdr, len, caplen) )
return;
int proto = ip_hdr->NextProto();
if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP &&
proto != IPPROTO_ICMP )
{
dump_this_packet = 1;
return;
}
FragReassembler* f = 0;
uint32 frag_field = ip_hdr->FragField();
if ( (frag_field & 0x3fff) != 0 )
if ( ip_hdr->IsFragment() )
{
dump_this_packet = 1; // always record fragments
@ -463,12 +443,12 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
// Don't try to reassemble, that's doomed.
// Discard all except the first fragment (which
// is useful in analyzing header-only traces)
if ( (frag_field & 0x1fff) != 0 )
if ( ip_hdr->FragOffset() != 0 )
return;
}
else
{
f = NextFragment(t, ip_hdr, pkt + hdr_size, frag_field);
f = NextFragment(t, ip_hdr, pkt + hdr_size);
const IP_Hdr* ih = f->ReassembledPkt();
if ( ! ih )
// It didn't reassemble into anything yet.
@ -485,21 +465,43 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
len -= ip_hdr_len; // remove IP header
caplen -= ip_hdr_len;
uint32 min_hdr_len = (proto == IPPROTO_TCP) ? sizeof(struct tcphdr) :
(proto == IPPROTO_UDP ? sizeof(struct udphdr) : ICMP_MINLEN);
if ( len < min_hdr_len )
// We stop building the chain when seeing IPPROTO_ESP so if it's
// there, it's always the last.
if ( ip_hdr->LastHeader() == IPPROTO_ESP )
{
Weird("truncated_header", hdr, pkt);
if ( f )
Remove(f); // ###
dump_this_packet = 1;
if ( esp_packet )
{
val_list* vl = new val_list();
vl->append(ip_hdr->BuildPktHdrVal());
mgr.QueueEvent(esp_packet, vl);
}
Remove(f);
// Can't do more since upper-layer payloads are going to be encrypted.
return;
}
if ( caplen < min_hdr_len )
// Stop analyzing IPv6 packets that use routing type 0 headers with segments
// left since RH0 headers are deprecated by RFC 5095 and we'd have to make
// extra effort to get the destination in the connection/flow endpoint right.
if ( ip_hdr->RH0SegLeft() )
{
Weird("internally_truncated_header", hdr, pkt);
if ( f )
Remove(f); // ###
dump_this_packet = 1;
if ( rh0_segleft )
{
val_list* vl = new val_list();
vl->append(ip_hdr->BuildPktHdrVal());
mgr.QueueEvent(rh0_segleft, vl);
}
Remove(f);
return;
}
int proto = ip_hdr->NextProto();
if ( CheckHeaderTrunc(proto, len, caplen, hdr, pkt) )
{
Remove(f);
return;
}
@ -548,7 +550,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
}
default:
Weird(fmt("unknown_protocol %d", proto), hdr, pkt);
Weird(fmt("unknown_protocol_%d", proto), hdr, pkt);
Remove(f);
return;
}
@ -574,6 +577,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
if ( consistent < 0 )
{
delete h;
Remove(f);
return;
}
@ -592,10 +596,11 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
}
if ( ! conn )
{
delete h;
if ( ! conn )
Remove(f);
return;
}
int record_packet = 1; // whether to record the packet at all
int record_content = 1; // whether to record its data
@ -603,8 +608,17 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
int is_orig = (id.src_addr == conn->OrigAddr()) &&
(id.src_port == conn->OrigPort());
if ( new_packet && ip4 )
conn->Event(new_packet, 0, BuildHeader(ip4));
Val* pkt_hdr_val = 0;
if ( ipv6_ext_headers && ip_hdr->NumHeaders() > 1 )
{
pkt_hdr_val = ip_hdr->BuildPktHdrVal();
conn->Event(ipv6_ext_headers, 0, pkt_hdr_val);
}
if ( new_packet )
conn->Event(new_packet, 0,
pkt_hdr_val ? pkt_hdr_val->Ref() : ip_hdr->BuildPktHdrVal());
conn->NextPacket(t, is_orig, ip_hdr, len, caplen, data,
record_packet, record_content,
@ -614,7 +628,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
{
// Above we already recorded the fragment in its entirety.
f->DeleteTimer();
Remove(f); // ###
Remove(f);
}
else if ( record_packet )
@ -630,104 +644,42 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
}
}
Val* NetSessions::BuildHeader(const struct ip* ip)
bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
const struct pcap_pkthdr* h, const u_char* p)
{
static RecordType* pkt_hdr_type = 0;
static RecordType* ip_hdr_type = 0;
static RecordType* tcp_hdr_type = 0;
static RecordType* udp_hdr_type = 0;
static RecordType* icmp_hdr_type;
if ( ! pkt_hdr_type )
{
pkt_hdr_type = internal_type("pkt_hdr")->AsRecordType();
ip_hdr_type = internal_type("ip_hdr")->AsRecordType();
tcp_hdr_type = internal_type("tcp_hdr")->AsRecordType();
udp_hdr_type = internal_type("udp_hdr")->AsRecordType();
icmp_hdr_type = internal_type("icmp_hdr")->AsRecordType();
}
RecordVal* pkt_hdr = new RecordVal(pkt_hdr_type);
RecordVal* ip_hdr = new RecordVal(ip_hdr_type);
int ip_hdr_len = ip->ip_hl * 4;
int ip_pkt_len = ntohs(ip->ip_len);
ip_hdr->Assign(0, new Val(ip->ip_hl * 4, TYPE_COUNT));
ip_hdr->Assign(1, new Val(ip->ip_tos, TYPE_COUNT));
ip_hdr->Assign(2, new Val(ip_pkt_len, TYPE_COUNT));
ip_hdr->Assign(3, new Val(ntohs(ip->ip_id), TYPE_COUNT));
ip_hdr->Assign(4, new Val(ip->ip_ttl, TYPE_COUNT));
ip_hdr->Assign(5, new Val(ip->ip_p, TYPE_COUNT));
ip_hdr->Assign(6, new AddrVal(ip->ip_src.s_addr));
ip_hdr->Assign(7, new AddrVal(ip->ip_dst.s_addr));
pkt_hdr->Assign(0, ip_hdr);
// L4 header.
const u_char* data = ((const u_char*) ip) + ip_hdr_len;
int proto = ip->ip_p;
uint32 min_hdr_len = 0;
switch ( proto ) {
case IPPROTO_TCP:
{
const struct tcphdr* tp = (const struct tcphdr*) data;
RecordVal* tcp_hdr = new RecordVal(tcp_hdr_type);
int tcp_hdr_len = tp->th_off * 4;
int data_len = ip_pkt_len - ip_hdr_len - tcp_hdr_len;
tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
tcp_hdr->Assign(5, new Val(data_len, TYPE_COUNT));
tcp_hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
tcp_hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
pkt_hdr->Assign(1, tcp_hdr);
min_hdr_len = sizeof(struct tcphdr);
break;
}
case IPPROTO_UDP:
{
const struct udphdr* up = (const struct udphdr*) data;
RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
pkt_hdr->Assign(2, udp_hdr);
min_hdr_len = sizeof(struct udphdr);
break;
}
case IPPROTO_ICMP:
{
const struct icmp* icmpp = (const struct icmp *) data;
RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
icmp_hdr->Assign(0, new Val(icmpp->icmp_type, TYPE_COUNT));
pkt_hdr->Assign(3, icmp_hdr);
break;
}
default:
{
// This is not a protocol we understand.
}
// Use for all other packets.
min_hdr_len = ICMP_MINLEN;
}
return pkt_hdr;
if ( len < min_hdr_len )
{
Weird("truncated_header", h, p);
return true;
}
if ( caplen < min_hdr_len )
{
Weird("internally_truncated_header", h, p);
return true;
}
return false;
}
FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
const u_char* pkt, uint32 frag_field)
const u_char* pkt)
{
uint32 frag_id = ntohs(ip->ID4()); // we actually could skip conv.
uint32 frag_id = ip->ID();
ListVal* key = new ListVal(TYPE_ANY);
key->Append(new AddrVal(ip->SrcAddr()));
@ -741,7 +693,7 @@ FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
FragReassembler* f = fragments.Lookup(h);
if ( ! f )
{
f = new FragReassembler(this, ip, pkt, frag_field, h, t);
f = new FragReassembler(this, ip, pkt, h, t);
fragments.Insert(h, f);
Unref(key);
return f;
@ -750,7 +702,7 @@ FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
delete h;
Unref(key);
f->AddFragment(t, ip, pkt, frag_field);
f->AddFragment(t, ip, pkt);
return f;
}
@ -909,6 +861,7 @@ void NetSessions::Remove(Connection* c)
void NetSessions::Remove(FragReassembler* f)
{
if ( ! f ) return;
HashKey* k = f->Key();
if ( ! k )
reporter->InternalError("fragment block not in dictionary");

11
src/Sessions.h
View file

@ -79,7 +79,7 @@ public:
// Returns a reassembled packet, or nil if there are still
// some missing fragments.
FragReassembler* NextFragment(double t, const IP_Hdr* ip,
const u_char* pkt, uint32 frag_field);
const u_char* pkt);
int Get_OS_From_SYN(struct os_type* retval,
uint16 tot, uint8 DF_flag, uint8 TTL, uint16 WSS,
@ -190,10 +190,11 @@ protected:
void Internal(const char* msg, const struct pcap_pkthdr* hdr,
const u_char* pkt);
// Builds a record encapsulating a packet. This should be more
// general, including the equivalent of a union of tcp/udp/icmp
// headers .
Val* BuildHeader(const struct ip* ip);
// For a given protocol, checks whether the header's length as derived
// from lower-level headers or the length actually captured is less
// than that protocol's minimum header size.
bool CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
const struct pcap_pkthdr* hdr, const u_char* pkt);
CompositeHash* ch;
PDict(Connection) tcp_conns;

6
src/TCP.cc
View file

@ -1203,7 +1203,7 @@ RecordVal* TCP_Analyzer::BuildOSVal(int is_orig, const IP_Hdr* ip,
if ( ip->HdrLen() > 20 )
quirks |= QUIRK_IPOPT;
if ( ip->IP_ID() == 0 )
if ( ip->ID() == 0 )
quirks |= QUIRK_ZEROID;
if ( tcp->th_seq == 0 )
@ -1942,11 +1942,11 @@ int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
{
if ( ++num_pkts == 1 )
{ // First packet.
last_id = ntohs(ip->ID4());
last_id = ip->ID();
return 0;
}
int id = ntohs(ip->ID4());
int id = ip->ID();
if ( id == last_id )
{

30
src/bro.bif
View file

@ -2049,6 +2049,36 @@ function is_v6_addr%(a: addr%): bool
#
# ===========================================================================
## Converts the *data* field of :bro:type:`ip6_routing` records that have
## *rtype* of 0 into a vector of addresses.
##
## s: The *data* field of an :bro:type:`ip6_routing` record that has
## an *rtype* of 0.
##
## Returns: The vector of addresses contained in the routing header data.
function routing0_data_to_addrs%(s: string%): addr_vec
%{
VectorVal* rval = new VectorVal(new VectorType(base_type(TYPE_ADDR)));
int len = s->Len();
const u_char* bytes = s->Bytes();
bytes += 4; // go past 32-bit reserved field
len -= 4;
if ( ( len % 16 ) != 0 )
reporter->Warning("Bad ip6_routing data length: %d", s->Len());
while ( len > 0 )
{
IPAddr a(IPAddr::IPv6, (const uint32*) bytes, IPAddr::Network);
rval->Assign(rval->Size(), new AddrVal(a), 0);
bytes += 16;
len -= 16;
}
return rval;
%}
## Converts a :bro:type:`addr` to a :bro:type:`index_vec`.
##
## a: The address to convert into a vector of counts.

189
src/bro_inet_ntop.c Normal file
View file

@ -0,0 +1,189 @@
/* Taken/adapted from FreeBSD 9.0.0 inet_ntop.c (CVS revision 1.3.16.1.2.1) */
/*
* Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
* Copyright (c) 1996-1999 by Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
* OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "bro_inet_ntop.h"
#include <sys/param.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
/*%
* WARNING: Don't even consider trying to compile this on a system where
* sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX.
*/
static const char *bro_inet_ntop4(const u_char *src, char *dst, socklen_t size);
static const char *bro_inet_ntop6(const u_char *src, char *dst, socklen_t size);
/* char *
* bro_inet_ntop(af, src, dst, size)
* convert a network format address to presentation format.
* return:
* pointer to presentation format address (`dst'), or NULL (see errno).
* author:
* Paul Vixie, 1996.
*/
const char *
bro_inet_ntop(int af, const void * __restrict src, char * __restrict dst,
socklen_t size)
{
switch (af) {
case AF_INET:
return (bro_inet_ntop4(src, dst, size));
case AF_INET6:
return (bro_inet_ntop6(src, dst, size));
default:
errno = EAFNOSUPPORT;
return (NULL);
}
/* NOTREACHED */
}
/* const char *
* bro_inet_ntop4(src, dst, size)
* format an IPv4 address
* return:
* `dst' (as a const)
* notes:
* (1) uses no statics
* (2) takes a u_char* not an in_addr as input
* author:
* Paul Vixie, 1996. Modified by Jon Siwek, 2012, to replace strlcpy
*/
static const char *
bro_inet_ntop4(const u_char *src, char *dst, socklen_t size)
{
static const char fmt[] = "%u.%u.%u.%u";
char tmp[sizeof "255.255.255.255"];
int l;
l = snprintf(tmp, sizeof(tmp), fmt, src[0], src[1], src[2], src[3]);
if (l <= 0 || (socklen_t) l >= size) {
errno = ENOSPC;
return (NULL);
}
strncpy(dst, tmp, size - 1);
dst[size - 1] = 0;
return (dst);
}
/* const char *
* bro_inet_ntop6(src, dst, size)
* convert IPv6 binary address into presentation (printable) format
* author:
* Paul Vixie, 1996. Modified by Jon Siwek, 2012, for IPv4-translated format
*/
static const char *
bro_inet_ntop6(const u_char *src, char *dst, socklen_t size)
{
/*
* Note that int32_t and int16_t need only be "at least" large enough
* to contain a value of the specified size. On some systems, like
* Crays, there is no such thing as an integer variable with 16 bits.
* Keep this in mind if you think this function should have been coded
* to use pointer overlays. All the world's not a VAX.
*/
char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"], *tp;
struct { int base, len; } best, cur;
u_int words[NS_IN6ADDRSZ / NS_INT16SZ];
int i;
/*
* Preprocess:
* Copy the input (bytewise) array into a wordwise array.
* Find the longest run of 0x00's in src[] for :: shorthanding.
*/
memset(words, '\0', sizeof words);
for (i = 0; i < NS_IN6ADDRSZ; i++)
words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
best.base = -1;
best.len = 0;
cur.base = -1;
cur.len = 0;
for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
if (words[i] == 0) {
if (cur.base == -1)
cur.base = i, cur.len = 1;
else
cur.len++;
} else {
if (cur.base != -1) {
if (best.base == -1 || cur.len > best.len)
best = cur;
cur.base = -1;
}
}
}
if (cur.base != -1) {
if (best.base == -1 || cur.len > best.len)
best = cur;
}
if (best.base != -1 && best.len < 2)
best.base = -1;
/*
* Format the result.
*/
tp = tmp;
for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
/* Are we inside the best run of 0x00's? */
if (best.base != -1 && i >= best.base &&
i < (best.base + best.len)) {
if (i == best.base)
*tp++ = ':';
continue;
}
/* Are we following an initial run of 0x00s or any real hex? */
if (i != 0)
*tp++ = ':';
/* Is this address an encapsulated IPv4? */
if (i == 6 && best.base == 0 && (best.len == 6 ||
(best.len == 7 && words[7] != 0x0001) ||
(best.len == 5 && words[5] == 0xffff) ||
(best.len == 4 && words[4] == 0xffff && words[5] == 0))) {
if (!bro_inet_ntop4(src+12, tp, sizeof tmp - (tp - tmp)))
return (NULL);
tp += strlen(tp);
break;
}
tp += sprintf(tp, "%x", words[i]);
}
/* Was it a trailing run of 0x00's? */
if (best.base != -1 && (best.base + best.len) ==
(NS_IN6ADDRSZ / NS_INT16SZ))
*tp++ = ':';
*tp++ = '\0';
/*
* Check for overflow, copy, and we're done.
*/
if ((socklen_t)(tp - tmp) > size) {
errno = ENOSPC;
return (NULL);
}
strcpy(dst, tmp);
return (dst);
}

18
src/bro_inet_ntop.h Normal file
View file

@ -0,0 +1,18 @@
#ifndef BRO_INET_NTOP_H
#define BRO_INET_NTOP_H
#ifdef __cplusplus
extern "C" {
#endif
#include <sys/socket.h>
const char *
bro_inet_ntop(int af, const void * __restrict src, char * __restrict dst,
socklen_t size);
#ifdef __cplusplus
}
#endif
#endif

29
src/event.bif
View file

@ -454,11 +454,38 @@ event expected_connection_seen%(c: connection, a: count%);
##
## c: The connection the packet is part of.
##
## p: Informattion from the header of the packet that triggered the event.
## p: Information from the header of the packet that triggered the event.
##
## .. bro:see:: tcp_packet packet_contents
event new_packet%(c: connection, p: pkt_hdr%);
## Generated for every IPv6 packet that contains extension headers.
## This is potentially an expensive event to handle if analysiing IPv6 traffic
## that happens to utilize extension headers frequently.
##
## c: The connection the packet is part of.
##
## p: Information from the header of the packet that triggered the event.
##
## .. bro:see:: new_packet tcp_packet packet_contents esp_packet
event ipv6_ext_headers%(c: connection, p: pkt_hdr%);
## Generated for any packets using the IPv6 Encapsulating Security Payload (ESP)
## extension header.
##
## p: Information from the header of the packet that triggered the event.
##
## .. bro:see:: new_packet tcp_packet ipv6_ext_headers
event esp_packet%(p: pkt_hdr%);
## Generated for any packets using an IPv6 Routing Type 0 extension header
## with non-zero segments left.
##
## p: Information from the header of the packet that triggered the event.
##
## .. bro:see:: new_packet tcp_packet ipv6_ext_headers
event rh0_segleft%(p: pkt_hdr%);
## Generated for every packet that has non-empty transport-layer payload. This is a
## very low-level and expensive event that should be avoided when at all possible.
## It's usually infeasible to handle when processing even medium volumes of

2
src/main.cc
View file

@ -853,7 +853,7 @@ int main(int argc, char** argv)
if ( dns_type != DNS_PRIME )
net_init(interfaces, read_files, netflows, flow_files,
writefile, "tcp or udp or icmp",
writefile, "",
secondary_path->Filter(), do_watchdog);
BroFile::SetDefaultRotation(log_rotate_interval, log_max_size);

27
src/net_util.cc
View file

@ -38,33 +38,6 @@ int ones_complement_checksum(const IPAddr& a, uint32 sum)
return ones_complement_checksum(bytes, len*4, sum);
}
int tcp_checksum(const struct ip* ip, const struct tcphdr* tp, int len)
{
// ### Note, this is only correct for IPv4. This routine is only
// used by the connection compressor (which we turn off for IPv6
// traffic).
int tcp_len = tp->th_off * 4 + len;
uint32 sum;
if ( len % 2 == 1 )
// Add in pad byte.
sum = htons(((const u_char*) tp)[tcp_len - 1] << 8);
else
sum = 0;
sum = ones_complement_checksum((void*) &ip->ip_src.s_addr, 4, sum);
sum = ones_complement_checksum((void*) &ip->ip_dst.s_addr, 4, sum);
uint32 addl_pseudo =
(htons(IPPROTO_TCP) << 16) | htons((unsigned short) tcp_len);
sum = ones_complement_checksum((void*) &addl_pseudo, 4, sum);
sum = ones_complement_checksum((void*) tp, tcp_len, sum);
return sum;
}
int udp_checksum(const struct ip* ip, const struct udphdr* up, int len)
{
uint32 sum;

1
src/net_util.h
View file

@ -70,7 +70,6 @@ class IPAddr;
extern int ones_complement_checksum(const void* p, int b, uint32 sum);
extern int ones_complement_checksum(const IPAddr& a, uint32 sum);
extern int tcp_checksum(const struct ip* ip, const struct tcphdr* tp, int len);
extern int udp_checksum(const struct ip* ip, const struct udphdr* up, int len);
extern int udp6_checksum(const struct ip6_hdr* ip, const struct udphdr* up,
int len);

10
src/parse.y
View file

@ -10,7 +10,7 @@
%token TOK_CONSTANT TOK_COPY TOK_COUNT TOK_COUNTER TOK_DEFAULT TOK_DELETE
%token TOK_DOUBLE TOK_ELSE TOK_ENUM TOK_EVENT TOK_EXPORT TOK_FILE TOK_FOR
%token TOK_FUNCTION TOK_GLOBAL TOK_ID TOK_IF TOK_INT
%token TOK_INTERVAL TOK_LIST TOK_LOCAL TOK_MODULE TOK_MATCH
%token TOK_INTERVAL TOK_LIST TOK_LOCAL TOK_MODULE
%token TOK_NEXT TOK_OF TOK_PATTERN TOK_PATTERN_TEXT
%token TOK_PORT TOK_PRINT TOK_RECORD TOK_REDEF
%token TOK_REMOVE_FROM TOK_RETURN TOK_SCHEDULE TOK_SET
@ -33,7 +33,7 @@
%left ',' '|'
%right '=' TOK_ADD_TO TOK_REMOVE_FROM
%right '?' ':' TOK_USING
%right '?' ':'
%left TOK_OR
%left TOK_AND
%nonassoc '<' '>' TOK_LE TOK_GE TOK_EQ TOK_NE
@ -504,12 +504,6 @@ expr:
$$ = new VectorConstructorExpr($3);
}
| TOK_MATCH expr TOK_USING expr
{
set_location(@1, @4);
$$ = new RecordMatchExpr($2, $4);
}
| expr '(' opt_expr_list ')'
{
set_location(@1, @4);

2
src/rule-scan.l
View file

@ -18,7 +18,7 @@ WS [ \t]+
D [0-9]+
H [0-9a-fA-F]+
STRING \"([^\n\"]|\\\")*\"
ID [0-9a-zA-Z_-]+
ID ([0-9a-zA-Z_-]+::)*[0-9a-zA-Z_-]+
RE \/(\\\/)?([^/]|[^\\]\\\/)*\/
META \.[^ \t]+{WS}[^\n]+
PID ([0-9a-zA-Z_-]|"::")+

25
src/scan.l
View file

@ -228,6 +228,24 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+))
++yylloc.last_line;
}
/* IPv6 literal constant patterns */
"["({HEX}:){7}{HEX}"]" {
string s(yytext+1);
RET_CONST(new AddrVal(s.erase(s.size()-1)))
}
"["0x{HEX}({HEX}|:)*"::"({HEX}|:)*"]" {
string s(yytext+3);
RET_CONST(new AddrVal(s.erase(s.size()-1)))
}
"["({HEX}|:)*"::"({HEX}|:)*"]" {
string s(yytext+1);
RET_CONST(new AddrVal(s.erase(s.size()-1)))
}
"["({HEX}|:)*"::"({HEX}|:)*({D}"."){3}{D}"]" {
string s(yytext+1);
RET_CONST(new AddrVal(s.erase(s.size()-1)))
}
[!%*/+\-,:;<=>?()\[\]{}~$|] return yytext[0];
"--" return TOK_DECR;
@ -273,7 +291,6 @@ int return TOK_INT;
interval return TOK_INTERVAL;
list return TOK_LIST;
local return TOK_LOCAL;
match return TOK_MATCH;
module return TOK_MODULE;
next return TOK_NEXT;
of return TOK_OF;
@ -295,7 +312,6 @@ timeout return TOK_TIMEOUT;
timer return TOK_TIMER;
type return TOK_TYPE;
union return TOK_UNION;
using return TOK_USING;
vector return TOK_VECTOR;
when return TOK_WHEN;
@ -450,11 +466,6 @@ F RET_CONST(new Val(false, TYPE_BOOL))
({D}"."){3}{D} RET_CONST(new AddrVal(yytext))
({HEX}:){7}{HEX} RET_CONST(new AddrVal(yytext))
0x{HEX}({HEX}|:)*"::"({HEX}|:)* RET_CONST(new AddrVal(yytext+2))
(({D}|:)({HEX}|:)*)?"::"({HEX}|:)* RET_CONST(new AddrVal(yytext))
"0x"{HEX}+ RET_CONST(new Val(static_cast<bro_uint_t>(strtol(yytext, 0, 16)), TYPE_COUNT))
{H}("."{H})+ RET_CONST(dns_mgr->LookupHost(yytext))

1
testing/btest/.gitignore vendored
View file

@ -1,3 +1,4 @@
.tmp
.btest.failed.dat
diag.log
coverage.log

8
testing/btest/Baseline/bifs.install_src_addr_filter/output Normal file
View file

@ -0,0 +1,8 @@
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]

1
testing/btest/Baseline/bifs.routing0_data_to_addrs/output Normal file
View file

@ -0,0 +1 @@
[2001:78:1:32::1, 2001:78:1:32::2]

24
testing/btest/Baseline/core.discarder/output Normal file
View file

@ -0,0 +1,24 @@
################ IP Discarder ################
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
################ TCP Discarder ################
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
################ UDP Discarder ################
[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp]
[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp]
[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp]
[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp]
[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp]
################ ICMP Discarder ################
Discard icmp packet: [icmp_type=3]

9
testing/btest/Baseline/core.ipv6-frag/dns.log Normal file
View file

@ -0,0 +1,9 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dns
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name QR AA TC RD RA Z answers TTLs
#types time string addr port addr port enum count string count string count string count string bool bool bool bool bool count vector[string] vector[interval]
1331084278.438444 UWkUyAuUGXf 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR F T F T F 0 This TXT record should be ignored 1.000000
1331084293.592245 arKYeMETxOg 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR F T F T F 0 This TXT record should be ignored 1.000000

5
testing/btest/Baseline/core.ipv6-frag/output Normal file
View file

@ -0,0 +1,5 @@
ip6=[class=0, flow=0, len=81, nxt=17, hlim=64, src=2001:470:1f11:81f:d138:5f55:6d4:1fe2, dst=2607:f740:b::f93, exts=[]], udp = [sport=51850/udp, dport=53/udp, ulen=81]
ip6=[class=0, flow=0, len=331, nxt=17, hlim=53, src=2607:f740:b::f93, dst=2001:470:1f11:81f:d138:5f55:6d4:1fe2, exts=[]], udp = [sport=53/udp, dport=51850/udp, ulen=331]
ip6=[class=0, flow=0, len=82, nxt=17, hlim=64, src=2001:470:1f11:81f:d138:5f55:6d4:1fe2, dst=2607:f740:b::f93, exts=[]], udp = [sport=51851/udp, dport=53/udp, ulen=82]
ip6=[class=0, flow=0, len=82, nxt=17, hlim=64, src=2001:470:1f11:81f:d138:5f55:6d4:1fe2, dst=2607:f740:b::f93, exts=[]], udp = [sport=51851/udp, dport=53/udp, ulen=82]
ip6=[class=0, flow=0, len=3238, nxt=17, hlim=53, src=2607:f740:b::f93, dst=2001:470:1f11:81f:d138:5f55:6d4:1fe2, exts=[]], udp = [sport=53/udp, dport=51851/udp, ulen=3238]

120
testing/btest/Baseline/core.ipv6_esp/output Normal file
View file

@ -0,0 +1,120 @@
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]

1
testing/btest/Baseline/core.ipv6_ext_headers/output Normal file
View file

@ -0,0 +1 @@
[ip=<uninitialized>, ip6=[class=0, flow=0, len=68, nxt=0, hlim=64, src=2001:4f8:4:7:2e0:81ff:fe52:ffff, dst=2001:4f8:4:7:2e0:81ff:fe52:9a6b, exts=[[id=0, hopopts=[nxt=43, len=0, options=[[otype=1, len=4, data=\0\0\0\0]]], dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>], [id=43, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=[nxt=6, len=4, rtype=0, segleft=0, data=\0\0\0\0 ^A\0x\0^A\02\0\0\0\0\0\0\0^A ^A\0x\0^A\02\0\0\0\0\0\0\0^B], fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>]]], tcp=[sport=30000/tcp, dport=80/tcp, seq=0, ack=0, hl=20, dl=0, flags=2, win=8192], udp=<uninitialized>, icmp=<uninitialized>]

2
testing/btest/Baseline/core.ipv6_rh0/segleft.out Normal file
View file

@ -0,0 +1,2 @@
flow_weird routing0_segleft from 2001:4f8:4:7:2e0:81ff:fe52:ffff to 2001:78:1:32::2
rh0 w/ segments left from 2001:4f8:4:7:2e0:81ff:fe52:ffff to 2001:4f8:4:7:2e0:81ff:fe52:9a6b

2
testing/btest/Baseline/core.ipv6_rh0/segleft0.out Normal file
View file

@ -0,0 +1,2 @@
flow_weird routing0_header from 2001:4f8:4:7:2e0:81ff:fe52:ffff to 2001:4f8:4:7:2e0:81ff:fe52:9a6b
new_connection: [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/tcp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=80/tcp]

24
testing/btest/Baseline/language.ipv6-literals/output Normal file
View file

@ -0,0 +1,24 @@
::1
::ffff
::255.255.255.255
::10.10.255.255
1::1
1::a
1::1:1
1::1:a
a::a
a::1
a::a:a
a::a:1
a:a::a
aaaa::ffff
192.168.1.100
ffff::c0a8:164
::192.168.1.100
::ffff:0:192.168.1.100
805b:2d9d:dc28::fc57:d4c8:1fff
aaaa::bbbb
aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222
aaaa:bbbb:cccc:dddd:eeee:ffff:1:2222
aaaa:bbbb:cccc:dddd:eeee:ffff:0:2222
aaaa:bbbb:cccc:dddd:eeee::2222

3
testing/btest/Baseline/language.match-test/output
View file

@ -1,3 +0,0 @@
default
it's big
it's really big

1
testing/btest/Baseline/language.match-test2/output
View file

@ -1 +0,0 @@
2

4
testing/btest/Makefile
View file

@ -6,13 +6,13 @@ all: cleanup btest-verbose coverage
# Showing all tests.
btest-verbose:
@$(BTEST) -f $(DIAG)
@$(BTEST) -j 5 -f $(DIAG)
brief: cleanup btest-brief coverage
# Brief output showing only failed tests.
btest-brief:
@$(BTEST) -b -f $(DIAG)
@$(BTEST) -j 5 -b -f $(DIAG)
coverage:
@../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts

BIN
testing/btest/Traces/icmp-unreach.trace Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/ip6_esp.trace Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/ipv6-fragmented-dns.trace Executable file
View file

Binary file not shown.

BIN
testing/btest/Traces/ipv6-hbh-rh0-segleft.trace Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/ipv6-hbh-rh0-segleft0.trace Normal file
View file

Binary file not shown.

2
testing/btest/bifs/addr_count_conversion.bro
View file

@ -3,7 +3,7 @@
global v: index_vec;
v = addr_to_counts(2001:0db8:85a3:0000:0000:8a2e:0370:7334);
v = addr_to_counts([2001:0db8:85a3:0000:0000:8a2e:0370:7334]);
print v;
print counts_to_addr(v);
v = addr_to_counts(1.2.3.4);

2
testing/btest/bifs/addr_to_ptr_name.bro
View file

@ -1,6 +1,6 @@
# @TEST-EXEC: bro %INPUT >output
# @TEST-EXEC: btest-diff output
print addr_to_ptr_name(2607:f8b0:4009:802::1012);
print addr_to_ptr_name([2607:f8b0:4009:802::1012]);
print addr_to_ptr_name(74.125.225.52);

4
testing/btest/bifs/addr_version.bro
View file

@ -2,6 +2,6 @@
# @TEST-EXEC: btest-diff out
print is_v4_addr(1.2.3.4);
print is_v4_addr(::1);
print is_v4_addr([::1]);
print is_v6_addr(1.2.3.4);
print is_v6_addr(::1);
print is_v6_addr([::1]);

13
testing/btest/bifs/install_src_addr_filter.test Normal file
View file

@ -0,0 +1,13 @@
# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT >output
# @TEST-EXEC: btest-diff output
event bro_init()
{
install_src_addr_filter(141.142.220.118, TH_SYN, 100.0);
}
event new_packet(c: connection, p: pkt_hdr)
{
if ( p?$tcp && p$ip$src == 141.142.220.118 )
print c$id;
}

10
testing/btest/bifs/routing0_data_to_addrs.test Normal file
View file

@ -0,0 +1,10 @@
# @TEST-EXEC: bro -b -r $TRACES/ipv6-hbh-rh0-segleft.trace %INPUT >output
# @TEST-EXEC: btest-diff output
event rh0_segleft(p: pkt_hdr)
{
for ( h in p$ip6$exts )
if ( p$ip6$exts[h]$id == IPPROTO_ROUTING )
if ( p$ip6$exts[h]$routing$rtype == 0 )
print routing0_data_to_addrs(p$ip6$exts[h]$routing$data);
}

2
testing/btest/bifs/to_addr.bro
View file

@ -17,4 +17,4 @@ test_to_addr("10.20.30.40", 10.20.30.40);
test_to_addr("100.200.30.40", 100.200.30.40);
test_to_addr("10.0.0.0", 10.0.0.0);
test_to_addr("10.00.00.000", 10.0.0.0);
test_to_addr("not an IP", ::);
test_to_addr("not an IP", [::]);

4
testing/btest/bifs/to_subnet.bro
View file

@ -6,6 +6,6 @@ global sn: subnet;
sn = to_subnet("10.0.0.0/8");
print sn, sn == 10.0.0.0/8;
sn = to_subnet("2607:f8b0::/32");
print sn, sn == 2607:f8b0::/32;
print sn, sn == [2607:f8b0::]/32;
sn = to_subnet("10.0.0.0");
print sn, sn == ::/0;
print sn, sn == [::]/0;

92
testing/btest/core/discarder.bro Normal file
View file

@ -0,0 +1,92 @@
# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-ip.bro >output
# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-tcp.bro >>output
# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-udp.bro >>output
# @TEST-EXEC: bro -C -r $TRACES/icmp-unreach.trace discarder-icmp.bro >>output
# @TEST-EXEC: btest-diff output
@TEST-START-FILE discarder-ip.bro
event bro_init()
{
print "################ IP Discarder ################";
}
function discarder_check_ip(p: pkt_hdr): bool
{
if ( p?$ip && p$ip$src == 141.142.220.118 && p$ip$dst == 208.80.152.2 )
return F;
return T;
}
event new_packet(c: connection, p: pkt_hdr)
{
print c$id;
}
@TEST-END-FILE
@TEST-START-FILE discarder-tcp.bro
event bro_init()
{
print "################ TCP Discarder ################";
}
function discarder_check_tcp(p: pkt_hdr, d: string): bool
{
if ( p$tcp$flags == TH_SYN )
return F;
return T;
}
event new_packet(c: connection, p: pkt_hdr)
{
if ( p?$tcp )
print c$id;
}
@TEST-END-FILE
@TEST-START-FILE discarder-udp.bro
event bro_init()
{
print "################ UDP Discarder ################";
}
function discarder_check_udp(p: pkt_hdr, d: string): bool
{
if ( p?$ip6 )
return F;
return T;
}
event new_packet(c: connection, p: pkt_hdr)
{
if ( p?$udp )
print c$id;
}
@TEST-END-FILE
@TEST-START-FILE discarder-icmp.bro
event bro_init()
{
print "################ ICMP Discarder ################";
}
function discarder_check_icmp(p: pkt_hdr): bool
{
print fmt("Discard icmp packet: %s", p$icmp);
return T;
}
event new_packet(c: connection, p: pkt_hdr)
{
if ( p?$icmp )
print c$id;
}
@TEST-END-FILE

9
testing/btest/core/ipv6-frag.test Normal file
View file

@ -0,0 +1,9 @@
# @TEST-EXEC: bro -r $TRACES/ipv6-fragmented-dns.trace %INPUT >output
# @TEST-EXEC: btest-diff output
# @TEST-EXEC: btest-diff dns.log
event new_packet(c: connection, p: pkt_hdr)
{
if ( p?$ip6 && p?$ udp )
print fmt("ip6=%s, udp = %s", p$ip6, p$udp);
}

10
testing/btest/core/ipv6_esp.test Normal file
View file

@ -0,0 +1,10 @@
# @TEST-EXEC: bro -r $TRACES/ip6_esp.trace %INPUT >output
# @TEST-EXEC: btest-diff output
# Just check that the event is raised correctly for a packet containing
# ESP extension headers.
event esp_packet(p: pkt_hdr)
{
print p;
}

10
testing/btest/core/ipv6_ext_headers.test Normal file
View file

@ -0,0 +1,10 @@
# @TEST-EXEC: bro -b -r $TRACES/ipv6-hbh-rh0-segleft0.trace %INPUT >output
# @TEST-EXEC: btest-diff output
# Just check that the event is raised correctly for a packet containing
# extension headers.
event ipv6_ext_headers(c: connection, p: pkt_hdr)
{
print p;
}

22
testing/btest/core/ipv6_rh0.test Normal file
View file

@ -0,0 +1,22 @@
# @TEST-EXEC: bro -b -r $TRACES/ipv6-hbh-rh0-segleft0.trace %INPUT >segleft0.out
# @TEST-EXEC: btest-diff segleft0.out
# @TEST-EXEC: bro -b -r $TRACES/ipv6-hbh-rh0-segleft.trace %INPUT >segleft.out
# @TEST-EXEC: btest-diff segleft.out
# This will be raised only by the packet with RH0 and segments left.
event rh0_segleft(p: pkt_hdr)
{
print fmt("rh0 w/ segments left from %s to %s", p$ip6$src, p$ip6$dst);
}
# This will be raised only by the packet with RH0 and no segments left.
event new_connection(c: connection)
{
print fmt("new_connection: %s", c$id);
}
# This will be raised by any packet with RH0 regardless of segments left.
event flow_weird(name: string, src: addr, dst: addr)
{
print fmt("flow_weird %s from %s to %s", name, src, dst);
}

32
testing/btest/language/ipv6-literals.bro Normal file
View file

@ -0,0 +1,32 @@
# @TEST-EXEC: bro -b %INPUT >output
# @TEST-EXEC: btest-diff output
local v: vector of addr = vector();
v[|v|] = [::1];
v[|v|] = [::ffff];
v[|v|] = [::ffff:ffff];
v[|v|] = [::0a0a:ffff];
v[|v|] = [1::1];
v[|v|] = [1::a];
v[|v|] = [1::1:1];
v[|v|] = [1::1:a];
v[|v|] = [a::a];
v[|v|] = [a::1];
v[|v|] = [a::a:a];
v[|v|] = [a::a:1];
v[|v|] = [a:a::a];
v[|v|] = [aaaa:0::ffff];
v[|v|] = [::ffff:192.168.1.100];
v[|v|] = [ffff::192.168.1.100];
v[|v|] = [::192.168.1.100];
v[|v|] = [::ffff:0:192.168.1.100];
v[|v|] = [805B:2D9D:DC28::FC57:212.200.31.255];
v[|v|] = [0xaaaa::bbbb];
v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222];
v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:ffff:1:2222];
v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:ffff:0:2222];
v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:0:0:2222];
for (i in v)
print v[i];

20
testing/btest/language/match-test.bro
View file

@ -1,20 +0,0 @@
# @TEST-EXEC: bro %INPUT >output 2>&1
# @TEST-EXEC: btest-diff output
global match_stuff = {
[$pred(a: count) = { return a > 5; },
$result = "it's big",
$priority = 2],
[$pred(a: count) = { return a > 15; },
$result = "it's really big",
$priority = 3],
[$pred(a: count) = { return T; },
$result = "default",
$priority = 0],
};
print match 0 using match_stuff;
print match 10 using match_stuff;
print match 20 using match_stuff;

51
testing/btest/language/match-test2.bro
View file

@ -1,51 +0,0 @@
# @TEST-EXEC: bro %INPUT >output 2>&1
# @TEST-EXEC: btest-diff output
type fakealert : record {
alert: string;
};
type match_rec : record {
result : count;
pred : function(rec : fakealert) : bool;
priority: count;
};
#global test_set : set[int] =
#{
#1, 2, 3
#};
global match_set : set[match_rec] =
{
[$result = 1, $pred(a: fakealert) = { return T; }, $priority = 8 ],
[$result = 2, $pred(a: fakealert) = { return T; }, $priority = 9 ]
};
global al : fakealert;
#global testset : set[fakealert] =
#{
# [$alert="hithere"]
#};
type nonalert: record {
alert : string;
pred : function(a : int) : int;
};
#global na : nonalert;
#na$alert = "5";
#al$alert = "hithere2";
#if (al in testset)
# print 1;
#else
# print 0;
al$alert = "hi";
print (match al using match_set);

2
testing/btest/language/sizeof.bro
View file

@ -20,7 +20,7 @@ type example_record: record {
};
global a: addr = 1.2.3.4;
global a6: addr = ::1;
global a6: addr = [::1];
global b: bool = T;
global c: count = 10;
global d: double = -1.23;