mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
quic: Bump maximum history length, make configurable
From zeek/spicy-quic#15
This commit is contained in:
Arne Welzel
parent
16a51218a5
commit
6604010a05
8 changed files with 39 additions and 14 deletions
|
|
@ -69,6 +69,9 @@ export {
|
|||
global log_policy: Log::PolicyHook;
|
||||
|
||||
global finalize_quic: Conn::RemovalHook;
|
||||
|
||||
## The maximum length of the history field.
|
||||
option max_history_length = 100;
|
||||
}
|
||||
|
||||
redef record connection += {
|
||||
|
|
@ -84,12 +87,15 @@ const quic_ports = {
|
|||
784/udp, # DNS-over-QUIC early
|
||||
};
|
||||
|
||||
function add_to_history(quic: Info, is_orig: bool, what: string)
|
||||
function add_to_history(c: connection, is_orig: bool, what: string)
|
||||
{
|
||||
if ( |quic$history_state| == 10 )
|
||||
if ( |c$quic$history_state| == max_history_length )
|
||||
return;
|
||||
|
||||
quic$history_state += is_orig ? to_upper(what[0]) : to_lower(what[0]);
|
||||
c$quic$history_state += is_orig ? to_upper(what[0]) : to_lower(what[0]);
|
||||
|
||||
if ( |c$quic$history_state| == max_history_length )
|
||||
Reporter::conn_weird("QUIC_max_history_length_reached", c);
|
||||
}
|
||||
|
||||
function log_record(quic: Info)
|
||||
|
|
@ -123,19 +129,19 @@ function set_conn(c: connection, is_orig: bool, version: count, dcid: string, sc
|
|||
event QUIC::initial_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string)
|
||||
{
|
||||
set_conn(c, is_orig, version, dcid, scid);
|
||||
add_to_history(c$quic, is_orig, "INIT");
|
||||
add_to_history(c, is_orig, "INIT");
|
||||
}
|
||||
|
||||
event QUIC::handshake_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string)
|
||||
{
|
||||
set_conn(c, is_orig, version, dcid, scid);
|
||||
add_to_history(c$quic, is_orig, "HANDSHAKE");
|
||||
add_to_history(c, is_orig, "HANDSHAKE");
|
||||
}
|
||||
|
||||
event QUIC::zero_rtt_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string)
|
||||
{
|
||||
set_conn(c, is_orig, version, dcid, scid);
|
||||
add_to_history(c$quic, is_orig, "ZeroRTT");
|
||||
add_to_history(c, is_orig, "ZeroRTT");
|
||||
}
|
||||
|
||||
# RETRY packets trigger a log entry and state reset.
|
||||
|
|
@ -144,7 +150,7 @@ event QUIC::retry_packet(c: connection, is_orig: bool, version: count, dcid: str
|
|||
if ( ! c?$quic )
|
||||
set_conn(c, is_orig, version, dcid, scid);
|
||||
|
||||
add_to_history(c$quic, is_orig, "RETRY");
|
||||
add_to_history(c, is_orig, "RETRY");
|
||||
|
||||
log_record(c$quic);
|
||||
|
||||
|
|
@ -158,7 +164,7 @@ event QUIC::connection_close_frame(c: connection, is_orig: bool, version: count,
|
|||
if ( ! c?$quic )
|
||||
return;
|
||||
|
||||
add_to_history(c$quic, is_orig, "CONNECTION_CLOSE");
|
||||
add_to_history(c, is_orig, "CONNECTION_CLOSE");
|
||||
|
||||
log_record(c$quic);
|
||||
|
||||
|
|
@ -189,7 +195,7 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos
|
|||
if ( ! c?$quic )
|
||||
return;
|
||||
|
||||
add_to_history(c$quic, T, "SSL");
|
||||
add_to_history(c, T, "SSL");
|
||||
}
|
||||
|
||||
event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=-5
|
||||
|
|
@ -197,7 +203,7 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos
|
|||
if ( ! c?$quic )
|
||||
return;
|
||||
|
||||
add_to_history(c$quic, F, "SSL");
|
||||
add_to_history(c, F, "SSL");
|
||||
}
|
||||
|
||||
hook finalize_quic(c: connection)
|
||||
|
|
|
|||
|
|
@ -7,5 +7,5 @@
|
|||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history
|
||||
#types time string addr port addr port string string string string string string
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.2 34347 64.233.166.94 443 1 815d62c70884f4b51e8ccadd5beed372 c15d62c70884f4b5 www.google.de h3 ISishIhHhh
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.2 34347 64.233.166.94 443 1 815d62c70884f4b51e8ccadd5beed372 c15d62c70884f4b5 www.google.de h3 ISishIhHhhH
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -7,5 +7,5 @@
|
|||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history
|
||||
#types time string addr port addr port string string string string string string
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 44174 250.58.23.113 443 1 c5a5015ae8f479784a 01275b138ee6aca8a6276b132ae6b3547cf7773f blog.cloudflare.com h3 ISiihIhhhH
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 44174 250.58.23.113 443 1 c5a5015ae8f479784a 01275b138ee6aca8a6276b132ae6b3547cf7773f blog.cloudflare.com h3 ISiihIhhhHHhHH
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -7,6 +7,6 @@
|
|||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history
|
||||
#types time string addr port addr port string string string string string string
|
||||
1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc e483a751 server4:443 hq-interop ISZisZZZZZ
|
||||
1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc e483a751 server4:443 hq-interop ISZisZZZZZZZZZZZZZZZZZZZZZZZZZZZIH
|
||||
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 60492 193.167.100.100 443 1 b7c7841c64883e3261d840 8d2041ac server4:443 hq-interop ISishIH
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -0,0 +1,3 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
ts uid history
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ISi
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
|
||||
#types time string addr port addr port string string bool string string
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 44174 250.58.23.113 443 QUIC_max_history_length_reached - F zeek -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
@ -7,5 +7,5 @@
|
|||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history
|
||||
#types time string addr port addr port string string string string string string
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 669b:cb7a:de99:6a13:4a9b:46ef:3bed:cb6c 57538 6699:ded3:da8c:be73:5a99:ca73:5a99:cadb 443 1 5a37463b0eb7cc5d da37463b0eb7cc5d www.google.de h3 ISishIhHhh
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 669b:cb7a:de99:6a13:4a9b:46ef:3bed:cb6c 57538 6699:ded3:da8c:be73:5a99:ca73:5a99:cadb 443 1 5a37463b0eb7cc5d da37463b0eb7cc5d www.google.de h3 ISishIhHhhHH
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
# @TEST-DOC: Test that runs the pcap
|
||||
# @TEST-EXEC: zeek -Cr $TRACES/quic/firefox-102.13.0esr-blog-cloudflare-com.pcap base/protocols/quic QUIC::max_history_length=3
|
||||
# @TEST-EXEC: zeek-cut -m ts uid history < quic.log > quic.log.cut
|
||||
# @TEST-EXEC: btest-diff quic.log.cut
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
Loading…
Add table
Add a link
Reference in a new issue