Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 17:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

gre-over-udp: Update testing pcap with both endpoints

Browse source 
The first pcap only contained packets from the originator, not the responder.

What stands out here is that the Linux kernel doesn't seem to use a symmetric
flow hash for the tunneled connection, resulting in a total of four tunnel
connections for the two inner connections. Sigh.
This commit is contained in:
Arne Welzel 2023-10-17 12:15:59 +02:00
parent ae0f8677b3
commit 536686f02d
4 changed files with 9 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

10
testing/btest/Baseline/core.tunnels.gre-over-udp/conn.log
View file

@ -7,8 +7,10 @@
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.5 45690 1.1.1.1 53 udp dns 0.000158 52 0 S0 T F 0 D 2 108 0 0 ClEkJM2Vm5giqnMf4h
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 172.17.0.5 47478 192.0.78.150 80 tcp http 0.090287 72 0 SH T F 0 SADF 6 332 0 0 ClEkJM2Vm5giqnMf4h
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.0.107 48282 192.168.5.1 4754 udp - 0.000158 116 0 S0 T T 0 D 2 172 0 0 -
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 192.168.0.107 49714 192.168.5.1 4754 udp - 0.090287 356 0 S0 T T 0 D 6 524 0 0 -
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp dns 0.054277 52 171 SF T F 0 Dd 2 108 2 227 ClEkJM2Vm5giqnMf4h
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 172.17.0.2 36518 192.0.78.150 80 tcp http 0.107970 72 379 SF T F 0 ShADadFf 6 332 4 551 ClEkJM2Vm5giqnMf4h
XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 192.168.0.107 36527 192.168.5.1 4754 udp - 0.080847 567 0 S0 T T 0 D 4 679 0 0 -
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 192.168.0.107 40987 192.168.5.1 4754 udp - 0.108139 356 0 S0 T T 0 D 6 524 0 0 -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.0.107 50343 192.168.5.1 4754 udp - 0.000089 116 0 S0 T T 0 D 2 172 0 0 -
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 192.168.0.107 53571 192.168.5.1 4754 udp - 0.000039 235 0 S0 T T 0 D 2 291 0 0 -
#close XXXX-XX-XX-XX-XX-XX

4
testing/btest/Baseline/core.tunnels.gre-over-udp/dns.log
View file

@ -7,6 +7,6 @@
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.5 45690 1.1.1.1 53 udp 55478 - zeek.org 1 C_INTERNET 1 A - - F F T F 0 - - F
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.5 45690 1.1.1.1 53 udp 42431 - zeek.org 1 C_INTERNET 28 AAAA - - F F T F 0 - - F
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 63844 0.054238 zeek.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 192.0.78.150,192.0.78.212 52.000000,52.000000 F
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 12391 - zeek.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/core.tunnels.gre-over-udp/http.log
View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types
#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string]
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 172.17.0.5 47478 192.0.78.150 80 1 GET zeek.org / - - curl/7.87.0 - 0 0 - - - - (empty) - - - - - - - - -
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 172.17.0.2 36518 192.0.78.150 80 1 GET zeek.org / - 1.1 curl/7.87.0 - 0 162 301 Moved Permanently - - (empty) - - - - - - FUNuKw3T9FybXoo6P6 - text/html
#close XXXX-XX-XX-XX-XX-XX

BIN
testing/btest/Traces/tunnels/gre-over-udp-4754.pcap
View file

Binary file not shown.