quic: Squashed follow-ups: quic.log, tests, various fixes, performance

testing/btest/scripts/base/protocols/quic/chromium.zeek

@@ -0,0 +1,6 @@
+# @TEST-DOC: Test that runs the pcap
+# @TEST-EXEC: zeek -Cr $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap base/protocols/quic
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff quic.log

testing/btest/scripts/base/protocols/quic/curl-http3.zeek

@@ -0,0 +1,6 @@
+# @TEST-DOC: Test that runs the pcap
+# @TEST-EXEC: zeek -Cr $TRACES/quic/curl-8.1.2-dev-http3-www-google-de.pcap base/protocols/quic
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff quic.log

testing/btest/scripts/base/protocols/quic/events.zeek

@@ -0,0 +1,29 @@
+# @TEST-DOC: Supported events so far.
+# @TEST-REQUIRES: zeek -b -e 'print PacketAnalyzer::ANALYZER_PPP ==  PacketAnalyzer::ANALYZER_PPP'
+# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/retry.pcap base/protocols/quic %INPUT >out
+# @TEST-EXEC: echo "zerortt.pcap" >>out
+# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/zerortt.pcap base/protocols/quic %INPUT >>out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff .stderr
+#
+
+function b2hex(s: string):string { return bytestring_to_hexstr(s); }
+
+event QUIC::initial_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string)
+	{
+	print network_time(), "initial_packet", c$uid, is_orig, version, b2hex(dcid), b2hex(scid);
+	}
+
+event QUIC::retry_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string, retry_token: string, integrity_tag: string)
+	{
+	print network_time(), "retry_packet", c$uid, is_orig, version, b2hex(dcid), b2hex(scid), |retry_token|, b2hex(integrity_tag);
+	}
+
+event QUIC::handshake_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string)
+	{
+	print network_time(), "handshake_packet", is_orig, c$uid, version, b2hex(dcid), b2hex(scid);
+	}
+event QUIC::zero_rtt_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string)
+	{
+	print network_time(), "zero_rtt_packet", is_orig, c$uid, version, b2hex(dcid), b2hex(scid);
+	}

testing/btest/scripts/base/protocols/quic/firefox.zeek

@@ -0,0 +1,6 @@
+# @TEST-DOC: Test that runs the pcap
+# @TEST-EXEC: zeek -Cr $TRACES/quic/firefox-102.13.0esr-blog-cloudflare-com.pcap base/protocols/quic
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff quic.log

testing/btest/scripts/base/protocols/quic/fragmented-crypto.zeek

@@ -0,0 +1,7 @@
+# @TEST-DOC: Pcap with fragmented and unordered CRYPTO frames.
+#
+# @TEST-EXEC: zeek -Cr $TRACES/quic/chromium-115.0.5790.110-google-de-fragmented.pcap base/protocols/quic
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: zeek-cut -m ts uid version cipher curve server_name resumed last_alert next_protocol established ssl_history < ssl.log > ssl.log.cut
+# @TEST-EXEC: btest-diff ssl.log.cut

testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/handshake.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Test interop pcap containing RETRY packet from server side.
+#
+# interop pcaps have link type DLT_PPP, test for its availability. Available in Zeek 6.1 or later only.
+# @TEST-REQUIRES: zeek -b -e 'print PacketAnalyzer::ANALYZER_PPP ==  PacketAnalyzer::ANALYZER_PPP'
+#
+# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/handshake.pcap base/protocols/quic
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff quic.log
+# @TEST-EXEC: btest-diff .stderr
+# @TEST-EXEC: test ! -f analyzer.log

testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/retry.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Test interop pcap containing RETRY packet from server side.
+#
+# interop pcaps have link type DLT_PPP, test for its availability. Available in Zeek 6.1 or later only.
+# @TEST-REQUIRES: zeek -b -e 'print PacketAnalyzer::ANALYZER_PPP ==  PacketAnalyzer::ANALYZER_PPP'
+#
+# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/retry.pcap base/protocols/quic
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff quic.log
+# @TEST-EXEC: btest-diff .stderr
+# @TEST-EXEC: test ! -f analyzer.log

testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/zerortt.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Test that client initiating connection using 0RTT packet doesn't cause analyzer errors trying to decrypt server side.
+#
+# interop pcaps have link type DLT_PPP, test for its availability. Available in Zeek 6.1 or later only.
+# @TEST-REQUIRES: zeek -b -e 'print PacketAnalyzer::ANALYZER_PPP ==  PacketAnalyzer::ANALYZER_PPP'
+#
+# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/zerortt.pcap base/protocols/quic
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff quic.log
+# @TEST-EXEC: btest-diff .stderr
+# @TEST-EXEC: test ! -f analyzer.log

testing/btest/scripts/base/protocols/quic/quic-log.zeek

@@ -0,0 +1,5 @@
+# @TEST-DOC: Smoke test the quic.log production
+#
+# @TEST-EXEC: zeek -Cr $TRACES/quic/chromium-115.0.5790.110-google-de-fragmented.pcap base/protocols/quic
+# @TEST-EXEC: btest-diff quic.log
+# @TEST-EXEC: btest-diff .stderr

testing/btest/scripts/base/protocols/quic/quicdoq.zeek

@@ -0,0 +1,6 @@
+# @TEST-DOC: Pcap with dns-over-quic lookup using https://github.com/private-octopus/quicdoq
+# @TEST-EXEC: zeek -Cr $TRACES/quic/quicdoq.pcap base/protocols/quic
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff quic.log

testing/btest/scripts/base/protocols/quic/run-pcap.zeek

@@ -1,4 +1,5 @@
 # @TEST-DOC: Test that runs the pcap
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quic_win11_firefox_google.pcap base/protocols/quic >output
-# @TEST-EXEC: btest-diff conn.log
-# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: zeek -Cr $TRACES/quic/quic_win11_firefox_google.pcap base/protocols/quic
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff ssl.log

testing/btest/scripts/base/protocols/quic/vector-max-size-crash.zeek

@@ -0,0 +1,9 @@
+# @TEST-DOC: Test that runs the pcap
+# @TEST-EXEC: zeek -Cr $TRACES/quic/vector-max-size-crash.pcap base/protocols/quic
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: zeek-cut -m ts uid cause analyzer_kind analyzer_name failure_reason < analyzer.log > analyzer.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+
+# Only run btest-ddiff on analyzer.log with 6.1-dev or later. The violation
+# reporting has more detail in later versions.
+# @TEST-EXEC: zeek -b -e 'exit(Version::info$version_number < 60100 ? 0 : 1)' || TEST_DIFF_CANONIFIER='sed -r "s/\((.+)\.spicy:[0-9]+:[0-9]+\)/(\1.spicy:<line>:<column>)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer.log.cut