Fixes for IPv6 truncation and ICMP/ICMP6 analysis.

- Add more guards against trying to analyze captured packets with a
  truncated IPv6 static header or extension header chain.

- Add back in the ICMP payload tracking for ICMP "connections".

- Fix 'icmp_context' record construction.  Some field assignments
  were mismatched for ICMP and ICMP6.  Source and destination
  addresses were set incorrectly for context packets that don't
  contain a full IP header.  Some fields for ICMP6 weren't filled out.

- Changed ICMP Time Exceeded packets to raise the 'icmp_time_exceeded'
  event instead of 'icmp_error_message'.

- Add unit tests for truncation and the main types of ICMP/ICMP6
  that have specific events.

- Documentation clarifications.

testing/btest/Baseline/core.icmp.icmp-context/output

@@ -0,0 +1,12 @@
+icmp_unreachable (code=0)
+  conn_id: [orig_h=10.0.0.1, orig_p=3/icmp, resp_h=10.0.0.2, resp_p=0/icmp]
+  icmp_conn: [orig_h=10.0.0.1, resp_h=10.0.0.2, itype=3, icode=0, len=0, v6=F]
+  icmp_context: [id=[orig_h=::, orig_p=0/unknown, resp_h=::, resp_p=0/unknown], len=0, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
+icmp_unreachable (code=0)
+  conn_id: [orig_h=10.0.0.1, orig_p=3/icmp, resp_h=10.0.0.2, resp_p=0/icmp]
+  icmp_conn: [orig_h=10.0.0.1, resp_h=10.0.0.2, itype=3, icode=0, len=20, v6=F]
+  icmp_context: [id=[orig_h=10.0.0.2, orig_p=0/unknown, resp_h=10.0.0.1, resp_p=0/unknown], len=20, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
+icmp_unreachable (code=3)
+  conn_id: [orig_h=192.168.1.102, orig_p=3/icmp, resp_h=192.168.1.1, resp_p=3/icmp]
+  icmp_conn: [orig_h=192.168.1.102, resp_h=192.168.1.1, itype=3, icode=3, len=148, v6=F]
+  icmp_context: [id=[orig_h=192.168.1.1, orig_p=53/udp, resp_h=192.168.1.102, resp_p=59207/udp], len=163, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]

testing/btest/Baseline/core.icmp.icmp-events/output

@@ -0,0 +1,20 @@
+icmp_unreachable (code=3)
+  conn_id: [orig_h=192.168.1.102, orig_p=3/icmp, resp_h=192.168.1.1, resp_p=3/icmp]
+  icmp_conn: [orig_h=192.168.1.102, resp_h=192.168.1.1, itype=3, icode=3, len=148, v6=F]
+  icmp_context: [id=[orig_h=192.168.1.1, orig_p=53/udp, resp_h=192.168.1.102, resp_p=59207/udp], len=163, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+icmp_time_exceeded (code=0)
+  conn_id: [orig_h=10.0.0.1, orig_p=11/icmp, resp_h=10.0.0.2, resp_p=0/icmp]
+  icmp_conn: [orig_h=10.0.0.1, resp_h=10.0.0.2, itype=11, icode=0, len=32, v6=F]
+  icmp_context: [id=[orig_h=10.0.0.2, orig_p=30000/udp, resp_h=10.0.0.1, resp_p=13000/udp], len=32, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+icmp_echo_request (id=34844, seq=0, payload=O\x85\xe0C\0^N\xeb\xff^H^I^J^K^L^M^N^O^P^Q^R^S^T^U^V^W^X^Y^Z\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
+  conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
+  icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, v6=F]
+icmp_echo_reply (id=34844, seq=0, payload=O\x85\xe0C\0^N\xeb\xff^H^I^J^K^L^M^N^O^P^Q^R^S^T^U^V^W^X^Y^Z\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
+  conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
+  icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, v6=F]
+icmp_echo_request (id=34844, seq=1, payload=O\x85\xe0D\0^N\xf0}^H^I^J^K^L^M^N^O^P^Q^R^S^T^U^V^W^X^Y^Z\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
+  conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
+  icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, v6=F]
+icmp_echo_reply (id=34844, seq=1, payload=O\x85\xe0D\0^N\xf0}^H^I^J^K^L^M^N^O^P^Q^R^S^T^U^V^W^X^Y^Z\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
+  conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
+  icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, v6=F]

testing/btest/Baseline/core.icmp.icmp6-context/output

@@ -0,0 +1,16 @@
+icmp_unreachable (code=0)
+  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=0, v6=T]
+  icmp_context: [id=[orig_h=::, orig_p=0/unknown, resp_h=::, resp_p=0/unknown], len=0, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
+icmp_unreachable (code=0)
+  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=40, v6=T]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=0/unknown, resp_h=fe80::dead, resp_p=0/unknown], len=48, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
+icmp_unreachable (code=0)
+  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=60, v6=T]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=60, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+icmp_unreachable (code=0)
+  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=48, v6=T]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=0/unknown, resp_h=fe80::dead, resp_p=0/unknown], len=48, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]

testing/btest/Baseline/core.icmp.icmp6-events/output

@@ -0,0 +1,55 @@
+icmp_unreachable (code=0)
+  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=60, v6=T]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=60, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+icmp_packet_too_big (code=0)
+  conn_id: [orig_h=fe80::dead, orig_p=2/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=2, icode=0, len=52, v6=T]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+icmp_time_exceeded (code=0)
+  conn_id: [orig_h=fe80::dead, orig_p=3/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=3, icode=0, len=52, v6=T]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+icmp_parameter_problem (code=0)
+  conn_id: [orig_h=fe80::dead, orig_p=4/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=4, icode=0, len=52, v6=T]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+icmp_echo_request (id=1, seq=3, payload=abcdefghijklmnopqrstuvwabcdefghi)
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, v6=T]
+icmp_echo_reply (id=1, seq=3, payload=abcdefghijklmnopqrstuvwabcdefghi)
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, v6=T]
+icmp_echo_request (id=1, seq=4, payload=abcdefghijklmnopqrstuvwabcdefghi)
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, v6=T]
+icmp_echo_reply (id=1, seq=4, payload=abcdefghijklmnopqrstuvwabcdefghi)
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, v6=T]
+icmp_echo_request (id=1, seq=5, payload=abcdefghijklmnopqrstuvwabcdefghi)
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, v6=T]
+icmp_echo_reply (id=1, seq=5, payload=abcdefghijklmnopqrstuvwabcdefghi)
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, v6=T]
+icmp_echo_request (id=1, seq=6, payload=abcdefghijklmnopqrstuvwabcdefghi)
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, v6=T]
+icmp_echo_reply (id=1, seq=6, payload=abcdefghijklmnopqrstuvwabcdefghi)
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, v6=T]
+icmp_redirect (tgt=fe80::cafe, dest=fe80::babe)
+  conn_id: [orig_h=fe80::dead, orig_p=137/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=137, icode=0, len=32, v6=T]
+icmp_router_advertisement (hop_limit=0, managed=F, rlifetime=1800, reachable=0.000000, retrans=0.000000)
+  conn_id: [orig_h=fe80::dead, orig_p=134/icmp, resp_h=fe80::beef, resp_p=133/icmp]
+  icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=134, icode=0, len=8, v6=T]
+icmp_neighbor_advertisement (tgt=fe80::babe)
+  conn_id: [orig_h=fe80::dead, orig_p=136/icmp, resp_h=fe80::beef, resp_p=135/icmp]
+  icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=136, icode=0, len=16, v6=T]
+icmp_router_solicitation
+  conn_id: [orig_h=fe80::dead, orig_p=133/icmp, resp_h=fe80::beef, resp_p=134/icmp]
+  icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=133, icode=0, len=0, v6=T]
+icmp_neighbor_solicitation (tgt=fe80::babe)
+  conn_id: [orig_h=fe80::dead, orig_p=135/icmp, resp_h=fe80::beef, resp_p=136/icmp]
+  icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=135, icode=0, len=16, v6=T]

testing/btest/Baseline/core.truncation/output

@@ -0,0 +1,3 @@
+1334160095.895421 weird: truncated_IP
+1334156241.519125 weird: truncated_IP
+1334094648.590126 weird: truncated_IP

testing/btest/core/discarder.bro

@@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-ip.bro >output
 # @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-tcp.bro >>output
 # @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-udp.bro >>output
-# @TEST-EXEC: bro -C -r $TRACES/icmp-unreach.trace discarder-icmp.bro >>output
+# @TEST-EXEC: bro -C -r $TRACES/icmp/icmp-destunreach-udp.pcap discarder-icmp.bro >>output
 # @TEST-EXEC: btest-diff output
 
 @TEST-START-FILE discarder-ip.bro

testing/btest/core/icmp/icmp-context.test

@@ -0,0 +1,14 @@
+# These tests all check that IPv6 context packet construction for ICMP6 works.
+
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp-destunreach-no-context.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp-destunreach-ip.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp-destunreach-udp.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: btest-diff output
+
+event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
+    {
+    print "icmp_unreachable (code=" + fmt("%d", code) + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    print "  icmp_context: " + fmt("%s", context);
+    }

testing/btest/core/icmp/icmp-events.test

@@ -0,0 +1,44 @@
+# These tests all check that ICMP6 events get raised with correct arguments.
+
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp-destunreach-udp.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp-timeexceeded.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp-ping.pcap %INPUT >>output 2>&1
+
+# @TEST-EXEC: btest-diff output
+
+event icmp_sent(c: connection, icmp: icmp_conn)
+    {
+    print "icmp_sent";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    }
+
+event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
+    {
+    print "icmp_echo_request (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    }
+
+event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
+    {
+    print "icmp_echo_reply (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    }
+
+event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
+    {
+    print "icmp_unreachable (code=" + fmt("%d", code) + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    print "  icmp_context: " + fmt("%s", context);
+    }
+
+event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
+    {
+    print "icmp_time_exceeded (code=" + fmt("%d", code) + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    print "  icmp_context: " + fmt("%s", context);
+    }

testing/btest/core/icmp/icmp6-context.test

@@ -0,0 +1,15 @@
+# These tests all check that IPv6 context packet construction for ICMP6 works.
+
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-destunreach-no-context.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-destunreach-ip6ext-trunc.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-destunreach-ip6ext-udp.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-destunreach-ip6ext.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: btest-diff output
+
+event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
+    {
+    print "icmp_unreachable (code=" + fmt("%d", code) + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    print "  icmp_context: " + fmt("%s", context);
+    }

testing/btest/core/icmp/icmp6-events.test

@@ -0,0 +1,110 @@
+# These tests all check that ICMP6 events get raised with correct arguments.
+
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-destunreach-ip6ext-udp.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-toobig.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-timeexceeded.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-paramprob.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-ping.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-redirect.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-router-advert.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-neighbor-advert.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-router-solicit.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-neighbor-solicit.pcap %INPUT >>output 2>&1
+
+# @TEST-EXEC: btest-diff output
+
+event icmp_sent(c: connection, icmp: icmp_conn)
+    {
+    print "icmp_sent";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    }
+
+event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
+    {
+    print "icmp_echo_request (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    }
+
+event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
+    {
+    print "icmp_echo_reply (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    }
+
+event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
+    {
+    print "icmp_unreachable (code=" + fmt("%d", code) + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    print "  icmp_context: " + fmt("%s", context);
+    }
+
+event icmp_packet_too_big(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
+    {
+    print "icmp_packet_too_big (code=" + fmt("%d", code) + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    print "  icmp_context: " + fmt("%s", context);
+    }
+
+event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
+    {
+    print "icmp_time_exceeded (code=" + fmt("%d", code) + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    print "  icmp_context: " + fmt("%s", context);
+    }
+
+event icmp_parameter_problem(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
+    {
+    print "icmp_parameter_problem (code=" + fmt("%d", code) + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    print "  icmp_context: " + fmt("%s", context);
+    }
+
+event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr)
+    {
+    print "icmp_redirect (tgt=" + fmt("%s", tgt) + ", dest=" + fmt("%s", dest) + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    }
+
+event icmp_error_message(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
+    {
+    print "icmp_error_message (code=" + fmt("%d", code) + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    print "  icmp_context: " + fmt("%s", context);
+    }
+
+event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr)
+    {
+    print "icmp_neighbor_solicitation (tgt=" + fmt("%s", tgt) + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    }
+
+event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, tgt:addr)
+    {
+    print "icmp_neighbor_advertisement (tgt=" + fmt("%s", tgt) + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    }
+
+event icmp_router_solicitation(c: connection, icmp: icmp_conn)
+    {
+    print "icmp_router_solicitation";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    }
+
+event icmp_router_advertisement(c: connection, icmp: icmp_conn, hop_limit: count, managed: bool, router_lifetime: count, reachable_time: interval, retrans_timer: interval)
+    {
+    print "icmp_router_advertisement (hop_limit=" + fmt("%d", hop_limit) + ", managed=" + fmt("%s", managed) + ", rlifetime=" + fmt("%d", router_lifetime) + ", reachable=" + fmt("%f", reachable_time) + ", retrans=" + fmt("%f", retrans_timer) + ")";
+    print "  conn_id: " + fmt("%s", c$id);
+    print "  icmp_conn: " + fmt("%s", icmp);
+    }

testing/btest/core/truncation.test

@@ -0,0 +1,6 @@
+# Truncated IP packet's should not be analyzed, and generate truncated_IP weird
+
+# @TEST-EXEC: bro -b -r $TRACES/trunc/ip4-trunc.pcap >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/trunc/ip6-trunc.pcap >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/trunc/ip6-ext-trunc.pcap >>output 2>&1
+# @TEST-EXEC: btest-diff output