From 536686f02d898fc076db308424e62eaeb1c04d14 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Tue, 17 Oct 2023 12:15:59 +0200
Subject: [PATCH] gre-over-udp: Update testing pcap with both endpoints

The first pcap only contained packets from the originator, not the responder.

What stands out here is that the Linux kernel doesn't seem to use a symmetric
flow hash for the tunneled connection, resulting in a total of four tunnel
connections for the two inner connections. Sigh.
---
 .../core.tunnels.gre-over-udp/conn.log         |  10 ++++++----
 .../Baseline/core.tunnels.gre-over-udp/dns.log |   4 ++--
 .../core.tunnels.gre-over-udp/http.log         |   2 +-
 .../Traces/tunnels/gre-over-udp-4754.pcap      | Bin 960 -> 2110 bytes
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/testing/btest/Baseline/core.tunnels.gre-over-udp/conn.log b/testing/btest/Baseline/core.tunnels.gre-over-udp/conn.log
index a88f86cf2f..611d733f12 100644
--- a/testing/btest/Baseline/core.tunnels.gre-over-udp/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gre-over-udp/conn.log
@@ -7,8 +7,10 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.5	45690	1.1.1.1	53	udp	dns	0.000158	52	0	S0	T	F	0	D	2	108	0	0	ClEkJM2Vm5giqnMf4h
-XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	172.17.0.5	47478	192.0.78.150	80	tcp	http	0.090287	72	0	SH	T	F	0	SADF	6	332	0	0	ClEkJM2Vm5giqnMf4h
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.0.107	48282	192.168.5.1	4754	udp	-	0.000158	116	0	S0	T	T	0	D	2	172	0	0	-
-XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	192.168.0.107	49714	192.168.5.1	4754	udp	-	0.090287	356	0	S0	T	T	0	D	6	524	0	0	-
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.2	51714	1.1.1.1	53	udp	dns	0.054277	52	171	SF	T	F	0	Dd	2	108	2	227	ClEkJM2Vm5giqnMf4h
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	172.17.0.2	36518	192.0.78.150	80	tcp	http	0.107970	72	379	SF	T	F	0	ShADadFf	6	332	4	551	ClEkJM2Vm5giqnMf4h
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	192.168.0.107	36527	192.168.5.1	4754	udp	-	0.080847	567	0	S0	T	T	0	D	4	679	0	0	-
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	192.168.0.107	40987	192.168.5.1	4754	udp	-	0.108139	356	0	S0	T	T	0	D	6	524	0	0	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.0.107	50343	192.168.5.1	4754	udp	-	0.000089	116	0	S0	T	T	0	D	2	172	0	0	-
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	192.168.0.107	53571	192.168.5.1	4754	udp	-	0.000039	235	0	S0	T	T	0	D	2	291	0	0	-
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.gre-over-udp/dns.log b/testing/btest/Baseline/core.tunnels.gre-over-udp/dns.log
index 6d6e8f443b..c58d047749 100644
--- a/testing/btest/Baseline/core.tunnels.gre-over-udp/dns.log
+++ b/testing/btest/Baseline/core.tunnels.gre-over-udp/dns.log
@@ -7,6 +7,6 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.5	45690	1.1.1.1	53	udp	55478	-	zeek.org	1	C_INTERNET	1	A	-	-	F	F	T	F	0	-	-	F
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.5	45690	1.1.1.1	53	udp	42431	-	zeek.org	1	C_INTERNET	28	AAAA	-	-	F	F	T	F	0	-	-	F
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.2	51714	1.1.1.1	53	udp	63844	0.054238	zeek.org	1	C_INTERNET	1	A	0	NOERROR	F	F	T	T	0	192.0.78.150,192.0.78.212	52.000000,52.000000	F
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.2	51714	1.1.1.1	53	udp	12391	-	zeek.org	1	C_INTERNET	28	AAAA	0	NOERROR	F	F	T	F	0	-	-	F
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.gre-over-udp/http.log b/testing/btest/Baseline/core.tunnels.gre-over-udp/http.log
index 1b272ce520..b8cf381fc9 100644
--- a/testing/btest/Baseline/core.tunnels.gre-over-udp/http.log
+++ b/testing/btest/Baseline/core.tunnels.gre-over-udp/http.log
@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	172.17.0.5	47478	192.0.78.150	80	1	GET	zeek.org	/	-	-	curl/7.87.0	-	0	0	-	-	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	172.17.0.2	36518	192.0.78.150	80	1	GET	zeek.org	/	-	1.1	curl/7.87.0	-	0	162	301	Moved Permanently	-	-	(empty)	-	-	-	-	-	-	FUNuKw3T9FybXoo6P6	-	text/html
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/tunnels/gre-over-udp-4754.pcap b/testing/btest/Traces/tunnels/gre-over-udp-4754.pcap
index cb450a68afd538dc95a77f5d3d7a3d6dfbb6d6c1..37bc81657a174236ac0edf42b5d3df5b9dd94316 100644
GIT binary patch
literal 2110
zcmaKsVQf=X6vxkNyD^?VvMzpDbjGJK2AJz>H%iA#9o=AVi6GS#qMJ(IUT?b6_PyG^
zR<_6(2Hj9t%+MLX2xN0iqakVhhUns^F?=K8lgWYv{b=-qkU(PaoZD7kOV^X!^xb>T
zy}$E6=iXjlEnIMb3(9u?K7fFe>0u9R_+$%2@tcO-nxG%xP$3tBkXv9Y%aB-EZV=Wk
zw#-2v#c}`6f$zw__qVUy;1JNRI=~N4-8^?Uisuso%{9ST!f9q=v?37mjrz<yXGS+<
ze$Sb=Dw$ut<Bip1wt+B%%!RE0CovlucH=tog<~Pu<!*Ye%)GV-b&gV8u?}--@(V4b
zk+|STrF}o#x*I()g{mABS*dg7VN#3BJHWL9FV0uZuTxG}F{jHILc?yH`E_BE=hRS<
z)29^2{b%OhBtQI8k<<A6``#GOiPztj6V?H9Xr!EkVR&Jak?rsWy8WBAx3W?E?(#Ww
z(~(PnyR<N7X04Q#wOFQ6OKB6P;nd9((eZ#b8NhiGT5>phX^N!0+zxOAoiyymQ+=&)
zoLVLvEK5267?yXC;<!K9zKH(Dh(V>LV$Ci=*qxXerik;7dw)GN3*c}yeB*L7iCdmL
zaF5mnr*jjL`#%QWDc&t|l#HJoDZCegfLlCNCeL0%a)?5>e+S?s(0J-mqVmRuXP4Nv
zcUO@<GS!l4_N;R9X+dx~khqzM(mcKlJb{MY_=$ssX|7c(6S-F8l!#l~Kj&IcRB0VS
z>RPy2xO3wa08!SF@)_=;VK+|surR|Ztre8FDUSQo?Ms}}U6ax(+<ATmV4y!DEAn6@
z5>|X3pCk@q$5okLs|R1JBp%GNOh<2w8MvzFGD#)i=?-|jlGv;3ERBoXmF<!!iIi=q
zO{iCs4|o?|FK5fUV5`aKW$MB+iK;HFVHXy{&7l7JPq8KwNV$ghkA~eyv#?q?O_Zja
zc8YL`;<$fd^jo4l{bx-|E2zK!0Z^`n+~xJj`^`Ly%3+pCX$DpyIWCDqER$y$RW@RA
z<ESL=)hwpUksNzg_66hvx+QmdJG*4>F4Z4UJG<q9{SisrV;UB2?}&`2G1y{9EoIC~
zCI5HqV@AvxQ)S=IPQGX`-HMxrDkm6AcWB9Yo=M_9Q`d^CW0sZ9s)|zXlp=|*bZELN
z`#oAJD<9S@GZohl(|6yi;ohMkYEqDpJ@m`8Xiw0JTS?YaQ)EynI)e%i#Vw;|bey*8
zsDfpBf@8jocA_V!l){LG!KE25nBAw8PvynH<LMe5dA#m5I>RshNV&leJgtlT(jTw7
z^b2g;^lp4wf3N>syhf8x)TPXF%J7DiWlou_NpTCe*MBNf9>H5$=WpUHe-i)wB|h*Z
xuJ9)jue_|&yYWdZhTWjvm?~1P)TeyJwL~`5@&(s&tV+uwRxE@SyS@G+z`vzs?-&38

literal 960
zcmca|c+)~A1{MYcU}0bca^m!5Q*UQ*F{A+5AdCz+7+e_`!n}7lFgOTiC>>bAkbPhU
zE90J7LX#MrK<dEqW@7vx`LYRX1Q}QvfnZY=gDHcO<mDUNfaZg&00Ne()YNR|{GxP_
z2qVbO%1pd=?gZPZh|^91u$}#=cKWPex*w~ZG7vipUUD&H0bK*a$N=n*81I8%JB49(
z9x?*@(*vXqEN^469w^V|o&d7*0E6GOon;IGkM&}wgH$YF`t_l@je&uQg>?%H69?Db
z{dWBzaYkllc93ts6>&3!0r?<|48SIPcpnAZtc+r_2}m7SUc+Jo*ydt1n`gW{$+;*%
zfbkov1tcCVin$r)0d;{eG60)0!TT7<mh@XFw$y;sf#nM<HiB)@!fJ~I<F_0$1_pQ6
z5Cwe&kC2c6eM3D%UM`RP;u0$bP~_?XBbS#ev^cd$*D*ac4=9>kT9l)2u4iGcXTZzl
zn4Fwi02I{H*W%^k<pPCC=u5m|at0hGGAOP^4wFq_*A}9=_QA`O+_Jzh`NCWd36o>^
zZ8;0JMH;6qo58jeV6{b%@hfvF#1?rk9(?h84s44QPFuEsZOKQo<sr~7azMX)WiDZ0
F004Tt(GdUu