Add NCP::max_frame_size tuning option

This helps prevent excessive allocations based on message lengths taken from NCP headers.
2025-10-02 14:48:21 +00:00 · 2018-05-22 18:27:52 -05:00 · 2018-05-22 18:27:52 -05:00 · 58864c358c
commit 58864c358c
parent e35da5f592
7 changed files with 487 additions and 15 deletions
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -4806,6 +4806,12 @@ export {
 	const max_frag_data = 30000 &redef;
 }

+module NCP;
+export {
+	## The maximum number of bytes to allocate when parsing NCP frames.
+	const max_frame_size = 65536 &redef;
+}
+
 module Cluster;
 export {
 	type Cluster::Pool: record {};
--- a/src/analyzer/protocol/ncp/CMakeLists.txt
+++ b/src/analyzer/protocol/ncp/CMakeLists.txt
@ -5,6 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI

 bro_plugin_begin(Bro NCP)
 bro_plugin_cc(NCP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
+bro_plugin_bif(events.bif consts.bif)
 bro_plugin_pac(ncp.pac)
 bro_plugin_end()
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@ -9,6 +9,7 @@
 #include "NCP.h"

 #include "events.bif.h"
+#include "consts.bif.h"

 using namespace std;
 using namespace analyzer::ncp;
@ -105,13 +106,12 @@ void FrameBuffer::Reset()
 	msg_len = 0;
 	}

-// Returns true if we have a complete frame
-bool FrameBuffer::Deliver(int &len, const u_char* &data)
+int FrameBuffer::Deliver(int &len, const u_char* &data)
 	{
 	ASSERT(buf_len >= hdr_len);

 	if ( len == 0 )
-		return false;
+		return -1;

 	if ( buf_n < hdr_len )
 		{
@ -123,13 +123,16 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data)
 			}

 		if ( buf_n < hdr_len )
-			return false;
+			return -1;

 		compute_msg_length();

 		if ( msg_len > buf_len )
 			{
-			buf_len = msg_len * 2;
+			if ( msg_len > BifConst::NCP::max_frame_size )
+				return 1;
+
+			buf_len = msg_len;
 			u_char* new_buf = new u_char[buf_len];
 			memcpy(new_buf, msg_buf, buf_n);
 			delete [] msg_buf;
@ -143,7 +146,13 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data)
 		++buf_n; ++data; --len;
 		}

-	return buf_n >= msg_len;
+	if ( buf_n < msg_len )
+		return -1;
+
+	if ( buf_n == msg_len )
+		return 0;
+
+	return 1;
 	}

 void NCP_FrameBuffer::compute_msg_length()
@ -203,10 +212,27 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
 		resync = false;
 		}

-	while ( buffer.Deliver(len, data) )
+	for ( ; ; )
 		{
-		session->Deliver(IsOrig(), buffer.Len(), buffer.Data());
-		buffer.Reset();
+		auto result = buffer.Deliver(len, data);
+
+		if ( result < 0 )
+			break;
+
+		if ( result == 0 )
+			{
+			session->Deliver(IsOrig(), buffer.Len(), buffer.Data());
+			buffer.Reset();
+			}
+		else
+			{
+			// The rest of the data available in this delivery will
+			// be discarded and will need to resync to a new frame header.
+			Weird("ncp_large_frame");
+			buffer.Reset();
+			resync = true;
+			break;
+			}
 		}
 	}

--- a/src/analyzer/protocol/ncp/NCP.h
+++ b/src/analyzer/protocol/ncp/NCP.h
@ -54,8 +54,9 @@ public:
 	explicit FrameBuffer(int header_length);
 	virtual ~FrameBuffer();

-	// Returns true if a frame is ready
-	bool Deliver(int& len, const u_char* &data);
+	// Returns -1 if frame is not ready, 0 if it else, and 1 if
+	// the frame would require too large of a buffer allocation.
+	int Deliver(int& len, const u_char* &data);

 	void Reset();

@ -68,9 +69,9 @@ protected:

 	int hdr_len;
 	u_char* msg_buf;
-	int msg_len;
-	int buf_n;	// number of bytes in msg_buf
-	int buf_len;	// size off msg_buf
+	uint64 msg_len;
+	size_t buf_n;	// number of bytes in msg_buf
+	size_t buf_len;	// size off msg_buf
 };

 #define NCP_TCPIP_HEADER_LENGTH 8
--- a/src/analyzer/protocol/ncp/consts.bif
+++ b/src/analyzer/protocol/ncp/consts.bif
@ -0,0 +1 @@
+const NCP::max_frame_size: count;
--- a/testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out
+++ b/testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out
@ -0,0 +1,418 @@
+ncp reply, 13107, 70, 0, 0, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 46, 89
+ncp reply, 13107, 88, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 11, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 102, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 6, 22338
+ncp reply, 13107, 10, 8738, 22338, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 14, 72
--- a/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro
+++ b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro
@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT NCP::max_frame_size=150 >out
+# @TEST-EXEC: btest-diff out
+
+redef likely_server_ports += { 524/tcp };
+
+event bro_init()
+	{
+	const ports = { 524/tcp };
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports);
+	}
+
+event ncp_request(c: connection, frame_type: count, length: count, func: count)
+	{
+	print "ncp request", frame_type, length, func;
+	}
+
+event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count)
+	{
+	print "ncp reply", frame_type, length, req_frame, req_func, completion_code;
+	}