From 6908d1b91994db38cf06ef194168ab23367f72b6 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 10 Jul 2020 01:35:12 -0700 Subject: [PATCH] GH-1019: deprecate icmp_conn params for ICMP events Previously, a single `icmp_conn` record was built per ICMP "connection" and re-used for all events generated from it. This may have been a historical attempt at performance optimization, but: * By default, Zeek does not load any scripts that handle ICMP events. * The one script Zeek ships with that does handle ICMP events, "detect-traceroute", is already noted as being disabled due to potential performance problems of doing that kind of analysis. * Re-use of the original `icmp_conn` record tends to misreport TTL and length values since they come from original packet instead of the current one. * Even if we chose to still re-use `icmp_conn` records and just fill in a new TTL and length value each packet, a user script could have stored a reference to the record and not be expecting those values to be changed out from underneath them. Now, a new `icmp_info` record is created/populated in all ICMP events and should be used instead of `icmp_conn`. It also removes the orig_h/resp_h fields as those are redundant with what's already available in the connection record. --- NEWS | 13 +++ scripts/base/init-bare.zeek | 13 +++ .../policy/misc/detect-traceroute/main.zeek | 2 +- src/analyzer/protocol/icmp/ICMP.cc | 25 ++++- src/analyzer/protocol/icmp/ICMP.h | 3 + src/analyzer/protocol/icmp/events.bif | 99 ++++++++++++++++--- .../Baseline/core.icmp.icmp-context/output | 6 +- .../Baseline/core.icmp.icmp-events/output | 12 +-- .../Baseline/core.icmp.icmp6-context/output | 8 +- .../Baseline/core.icmp.icmp6-events/output | 34 +++---- .../btest/Baseline/core.icmp.icmp_sent/out | 4 +- .../btest/bifs/get_current_packet_header.zeek | 4 +- testing/btest/core/icmp/icmp-context.test | 4 +- testing/btest/core/icmp/icmp-events.test | 20 ++-- testing/btest/core/icmp/icmp6-context.test | 4 +- testing/btest/core/icmp/icmp6-events.test | 52 +++++----- testing/btest/core/icmp/icmp6-nd-options.test | 6 +- testing/btest/core/icmp/icmp_sent.zeek | 8 +- .../btest/core/tunnels/gre-erspan3-dot1q.zeek | 4 +- 19 files changed, 221 insertions(+), 100 deletions(-) diff --git a/NEWS b/NEWS index 1a902c05a6..41b44de954 100644 --- a/NEWS +++ b/NEWS @@ -259,6 +259,19 @@ Deprecated Functionality that the former returns a vector with indices starting at 1 while the later returns a vector with indices starting at 0. +- The ``icmp_conn`` parameter of ICMP events is deprecated, there's an + alternate version with an ``icmp_info`` parameter to use instead. + The ``icmp_conn`` record passed to ICMP events has always been re-used + amongst all events within an ICMP "connection", so the + ``itype``, ``icode``, ``len``, and ``hlim`` fields as inspected in + handlers never appears to change even if the underlying packet data + has different values for those fields. However, it's not known if + anyone relied on that behavior, so the new ``icmp_info`` record is + introduced with the more-expected behavior of being created and + populated for each new event. It also removes the orig_h/resp_h + fields since those are redundant with what's already available in + the connection parameter. + Zeek 3.1.0 ========== diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index edef9350a8..5813e63c9e 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -188,6 +188,19 @@ type icmp_conn: record { v6: bool; ##< True if it's an ICMPv6 packet. }; +## Specifics about an ICMP conversation/packet. +## ICMP events typically pass this in addition to :zeek:type:`conn_id`. +## +## .. zeek:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent +## icmp_time_exceeded icmp_unreachable +type icmp_info: record { + v6: bool; ##< True if it's an ICMPv6 packet. + itype: count; ##< The ICMP type of the current packet. + icode: count; ##< The ICMP code of the current packet. + len: count; ##< The length of the ICMP payload. + ttl: count; ##< The encapsulating IP header's TTL (IPv4) or Hop Limit (IPv6). +}; + ## Packet context part of an ICMP message. The fields of this record reflect the ## packet that is described by the context. ## diff --git a/scripts/policy/misc/detect-traceroute/main.zeek b/scripts/policy/misc/detect-traceroute/main.zeek index 091ceceed6..8125fdd21e 100644 --- a/scripts/policy/misc/detect-traceroute/main.zeek +++ b/scripts/policy/misc/detect-traceroute/main.zeek @@ -95,7 +95,7 @@ event signature_match(state: signature_state, msg: string, data: string) } } -event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context) +event icmp_time_exceeded(c: connection, info: icmp_info, code: count, context: icmp_context) { SumStats::observe("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h,"-",get_port_transport_proto(context$id$resp_p))], [$str=cat(c$id$orig_h)]); } diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc index fa6997d206..990262d7e1 100644 --- a/src/analyzer/protocol/icmp/ICMP.cc +++ b/src/analyzer/protocol/icmp/ICMP.cc @@ -204,7 +204,8 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen, if ( icmp_sent ) EnqueueConnEvent(icmp_sent, ConnVal(), - BuildICMPVal(icmpp, len, icmpv6, ip_hdr) + BuildICMPVal(icmpp, len, icmpv6, ip_hdr), + BuildInfo(icmpp, len, icmpv6, ip_hdr) ); if ( icmp_sent_payload ) @@ -214,6 +215,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen, EnqueueConnEvent(icmp_sent_payload, ConnVal(), BuildICMPVal(icmpp, len, icmpv6, ip_hdr), + BuildInfo(icmpp, len, icmpv6, ip_hdr), zeek::make_intrusive(payload) ); } @@ -239,6 +241,19 @@ zeek::RecordValPtr ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len return icmp_conn_val; } +zeek::RecordValPtr ICMP_Analyzer::BuildInfo(const struct icmp* icmpp, int len, + bool icmpv6, const IP_Hdr* ip_hdr) + { + static auto icmp_info = zeek::id::find_type("icmp_info"); + auto rval = zeek::make_intrusive(icmp_info); + rval->Assign(0, zeek::val_mgr->Bool(icmpv6)); + rval->Assign(1, zeek::val_mgr->Count(icmpp->icmp_type)); + rval->Assign(2, zeek::val_mgr->Count(icmpp->icmp_code)); + rval->Assign(3, zeek::val_mgr->Count(len)); + rval->Assign(4, zeek::val_mgr->Count(ip_hdr->TTL())); + return rval; + } + TransportProto ICMP_Analyzer::GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port) { const u_char* transport_hdr; @@ -520,6 +535,7 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len, EnqueueConnEvent(f, ConnVal(), BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr), + BuildInfo(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr), zeek::val_mgr->Count(iid), zeek::val_mgr->Count(iseq), zeek::make_intrusive(payload) @@ -548,6 +564,7 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len, EnqueueConnEvent(f, ConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), + BuildInfo(icmpp, len, 1, ip_hdr), zeek::val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other @@ -581,6 +598,7 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len, EnqueueConnEvent(f, ConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), + BuildInfo(icmpp, len, 1, ip_hdr), zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override @@ -608,6 +626,7 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len, EnqueueConnEvent(f, ConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), + BuildInfo(icmpp, len, 1, ip_hdr), zeek::make_intrusive(tgtaddr), BuildNDOptionsVal(caplen - opt_offset, data + opt_offset) ); @@ -635,6 +654,7 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len, EnqueueConnEvent(f, ConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), + BuildInfo(icmpp, len, 1, ip_hdr), zeek::make_intrusive(tgtaddr), zeek::make_intrusive(dstaddr), BuildNDOptionsVal(caplen - opt_offset, data + opt_offset) @@ -653,6 +673,7 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len, EnqueueConnEvent(f, ConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), + BuildInfo(icmpp, len, 1, ip_hdr), BuildNDOptionsVal(caplen, data) ); } @@ -678,6 +699,7 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp, EnqueueConnEvent(f, ConnVal(), BuildICMPVal(icmpp, len, 0, ip_hdr), + BuildInfo(icmpp, len, 0, ip_hdr), zeek::val_mgr->Count(icmpp->icmp_code), ExtractICMP4Context(caplen, data) ); @@ -716,6 +738,7 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp, EnqueueConnEvent(f, ConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), + BuildInfo(icmpp, len, 1, ip_hdr), zeek::val_mgr->Count(icmpp->icmp_code), ExtractICMP6Context(caplen, data) ); diff --git a/src/analyzer/protocol/icmp/ICMP.h b/src/analyzer/protocol/icmp/ICMP.h index 2e62d477bb..f6abf31ff0 100644 --- a/src/analyzer/protocol/icmp/ICMP.h +++ b/src/analyzer/protocol/icmp/ICMP.h @@ -57,6 +57,9 @@ protected: zeek::RecordValPtr BuildICMPVal(const struct icmp* icmpp, int len, int icmpv6, const IP_Hdr* ip_hdr); + zeek::RecordValPtr BuildInfo(const struct icmp* icmpp, int len, + bool icmpv6, const IP_Hdr* ip_hdr); + void NextICMP4(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr ); diff --git a/src/analyzer/protocol/icmp/events.bif b/src/analyzer/protocol/icmp/events.bif index ada3fe48a0..96ac63cc03 100644 --- a/src/analyzer/protocol/icmp/events.bif +++ b/src/analyzer/protocol/icmp/events.bif @@ -12,8 +12,13 @@ ## icmp: Additional ICMP-specific information augmenting the standard ## connection record *c*. ## +## info: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## ## .. zeek:see:: icmp_error_message icmp_sent_payload -event icmp_sent%(c: connection, icmp: icmp_conn%); +event icmp_sent%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info%); +event icmp_sent%(c: connection, info: icmp_info%); +event icmp_sent%(c: connection, icmp: icmp_conn%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn"; ## The same as :zeek:see:`icmp_sent` except containing the ICMP payload. ## @@ -22,10 +27,15 @@ event icmp_sent%(c: connection, icmp: icmp_conn%); ## icmp: Additional ICMP-specific information augmenting the standard ## connection record *c*. ## +## info: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## ## payload: The payload of the ICMP message. ## ## .. zeek:see:: icmp_error_message icmp_sent_payload -event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%); +event icmp_sent_payload%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, payload: string%); +event icmp_sent_payload%(c: connection, info: icmp_info, payload: string%); +event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn"; ## Generated for ICMP *echo request* messages. ## @@ -38,6 +48,9 @@ event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%); ## icmp: Additional ICMP-specific information augmenting the standard ## connection record *c*. ## +## info: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## ## id: The *echo request* identifier. ## ## seq: The *echo request* sequence number. @@ -46,7 +59,9 @@ event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%); ## after the first 8 bytes of the ICMP header. ## ## .. zeek:see:: icmp_echo_reply -event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); +event icmp_echo_request%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, id: count, seq: count, payload: string%); +event icmp_echo_request%(c: connection, info: icmp_info, id: count, seq: count, payload: string%); +event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn."; ## Generated for ICMP *echo reply* messages. ## @@ -59,6 +74,9 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## +## info: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## ## id: The *echo reply* identifier. ## ## seq: The *echo reply* sequence number. @@ -67,7 +85,9 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, ## after the first 8 bytes of the ICMP header. ## ## .. zeek:see:: icmp_echo_request -event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); +event icmp_echo_reply%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, id: count, seq: count, payload: string%); +event icmp_echo_reply%(c: connection, info: icmp_info, id: count, seq: count, payload: string%); +event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn."; ## Generated for all ICMPv6 error messages that are not handled ## separately with dedicated events. Zeek's ICMP analyzer handles a number @@ -83,6 +103,9 @@ event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, pa ## icmp: Additional ICMP-specific information augmenting the standard ## connection record *c*. ## +## info: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## ## code: The ICMP code of the error message. ## ## context: A record with specifics of the original packet that the message @@ -90,7 +113,9 @@ event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, pa ## ## .. zeek:see:: icmp_unreachable icmp_packet_too_big ## icmp_time_exceeded icmp_parameter_problem -event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); +event icmp_error_message%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, code: count, context: icmp_context%); +event icmp_error_message%(c: connection, info: icmp_info, code: count, context: icmp_context%); +event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn"; ## Generated for ICMP *destination unreachable* messages. ## @@ -103,6 +128,9 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## +## info: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## ## code: The ICMP code of the *unreachable* message. ## ## context: A record with specifics of the original packet that the message @@ -114,7 +142,9 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: ## ## .. zeek:see:: icmp_error_message icmp_packet_too_big ## icmp_time_exceeded icmp_parameter_problem -event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); +event icmp_unreachable%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, code: count, context: icmp_context%); +event icmp_unreachable%(c: connection, info: icmp_info, code: count, context: icmp_context%); +event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn"; ## Generated for ICMPv6 *packet too big* messages. ## @@ -127,6 +157,9 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## +## info: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## ## code: The ICMP code of the *too big* message. ## ## context: A record with specifics of the original packet that the message @@ -138,7 +171,9 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic ## ## .. zeek:see:: icmp_error_message icmp_unreachable ## icmp_time_exceeded icmp_parameter_problem -event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); +event icmp_packet_too_big%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, code: count, context: icmp_context%); +event icmp_packet_too_big%(c: connection, info: icmp_info, code: count, context: icmp_context%); +event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn"; ## Generated for ICMP *time exceeded* messages. ## @@ -151,6 +186,9 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## +## info: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## ## code: The ICMP code of the *exceeded* message. ## ## context: A record with specifics of the original packet that the message @@ -162,7 +200,9 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: ## ## .. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big ## icmp_parameter_problem -event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); +event icmp_time_exceeded%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, code: count, context: icmp_context%); +event icmp_time_exceeded%(c: connection, info: icmp_info, code: count, context: icmp_context%); +event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn"; ## Generated for ICMPv6 *parameter problem* messages. ## @@ -175,6 +215,9 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## +## info: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## ## code: The ICMP code of the *parameter problem* message. ## ## context: A record with specifics of the original packet that the message @@ -186,7 +229,9 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: ## ## .. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big ## icmp_time_exceeded -event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); +event icmp_parameter_problem%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, code: count, context: icmp_context%); +event icmp_parameter_problem%(c: connection, info: icmp_info, code: count, context: icmp_context%); +event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn"; ## Generated for ICMP *router solicitation* messages. ## @@ -199,11 +244,16 @@ event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, conte ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## +## info: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## ## options: Any Neighbor Discovery options included with message (:rfc:`4861`). ## ## .. zeek:see:: icmp_router_advertisement ## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect -event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%); +event icmp_router_solicitation%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, options: icmp6_nd_options%); +event icmp_router_solicitation%(c: connection, info: icmp_info, options: icmp6_nd_options%); +event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn"; ## Generated for ICMP *router advertisement* messages. ## @@ -216,6 +266,9 @@ event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_n ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## +## info: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## ## cur_hop_limit: The default value that should be placed in Hop Count field ## for outgoing IP packets. ## @@ -241,7 +294,9 @@ event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_n ## ## .. zeek:see:: icmp_router_solicitation ## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect -event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%); +event icmp_router_advertisement%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%); +event icmp_router_advertisement%(c: connection, info: icmp_info, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%); +event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn"; ## Generated for ICMP *neighbor solicitation* messages. ## @@ -254,13 +309,18 @@ event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## +## info: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## ## tgt: The IP address of the target of the solicitation. ## ## options: Any Neighbor Discovery options included with message (:rfc:`4861`). ## ## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_advertisement icmp_redirect -event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%); +event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, tgt: addr, options: icmp6_nd_options%); +event icmp_neighbor_solicitation%(c: connection, info: icmp_info, tgt: addr, options: icmp6_nd_options%); +event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn"; ## Generated for ICMP *neighbor advertisement* messages. ## @@ -273,6 +333,9 @@ event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, opt ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## +## info: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## ## router: Flag indicating the sender is a router. ## ## solicited: Flag indicating advertisement is in response to a solicitation. @@ -286,7 +349,9 @@ event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, opt ## ## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_solicitation icmp_redirect -event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%); +event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%); +event icmp_neighbor_advertisement%(c: connection, info: icmp_info, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%); +event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn"; ## Generated for ICMP *redirect* messages. ## @@ -299,6 +364,9 @@ event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## +## info: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## ## tgt: The address that is supposed to be a better first hop to use for ## ICMP Destination Address. ## @@ -308,5 +376,6 @@ event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, ## ## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_solicitation icmp_neighbor_advertisement -event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%); - +event icmp_redirect%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, tgt: addr, dest: addr, options: icmp6_nd_options%); +event icmp_redirect%(c: connection, info: icmp_info, tgt: addr, dest: addr, options: icmp6_nd_options%); +event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn"; diff --git a/testing/btest/Baseline/core.icmp.icmp-context/output b/testing/btest/Baseline/core.icmp.icmp-context/output index 40dc778d8b..d3dc6b08a3 100644 --- a/testing/btest/Baseline/core.icmp.icmp-context/output +++ b/testing/btest/Baseline/core.icmp.icmp-context/output @@ -1,12 +1,12 @@ icmp_unreachable (code=0) conn_id: [orig_h=10.0.0.1, orig_p=3/icmp, resp_h=10.0.0.2, resp_p=0/icmp] - icmp_conn: [orig_h=10.0.0.1, resp_h=10.0.0.2, itype=3, icode=0, len=0, hlim=64, v6=F] + icmp_info: [v6=F, itype=3, icode=0, len=0, ttl=64] icmp_context: [id=[orig_h=::, orig_p=0/unknown, resp_h=::, resp_p=0/unknown], len=0, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F] icmp_unreachable (code=0) conn_id: [orig_h=10.0.0.1, orig_p=3/icmp, resp_h=10.0.0.2, resp_p=0/icmp] - icmp_conn: [orig_h=10.0.0.1, resp_h=10.0.0.2, itype=3, icode=0, len=20, hlim=64, v6=F] + icmp_info: [v6=F, itype=3, icode=0, len=20, ttl=64] icmp_context: [id=[orig_h=10.0.0.2, orig_p=0/unknown, resp_h=10.0.0.1, resp_p=0/unknown], len=20, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F] icmp_unreachable (code=3) conn_id: [orig_h=192.168.1.102, orig_p=3/icmp, resp_h=192.168.1.1, resp_p=3/icmp] - icmp_conn: [orig_h=192.168.1.102, resp_h=192.168.1.1, itype=3, icode=3, len=148, hlim=128, v6=F] + icmp_info: [v6=F, itype=3, icode=3, len=148, ttl=128] icmp_context: [id=[orig_h=192.168.1.1, orig_p=53/udp, resp_h=192.168.1.102, resp_p=59207/udp], len=163, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F] diff --git a/testing/btest/Baseline/core.icmp.icmp-events/output b/testing/btest/Baseline/core.icmp.icmp-events/output index c72af480d5..e4867b6cd4 100644 --- a/testing/btest/Baseline/core.icmp.icmp-events/output +++ b/testing/btest/Baseline/core.icmp.icmp-events/output @@ -1,20 +1,20 @@ icmp_unreachable (code=3) conn_id: [orig_h=192.168.1.102, orig_p=3/icmp, resp_h=192.168.1.1, resp_p=3/icmp] - icmp_conn: [orig_h=192.168.1.102, resp_h=192.168.1.1, itype=3, icode=3, len=148, hlim=128, v6=F] + icmp_info: [v6=F, itype=3, icode=3, len=148, ttl=128] icmp_context: [id=[orig_h=192.168.1.1, orig_p=53/udp, resp_h=192.168.1.102, resp_p=59207/udp], len=163, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F] icmp_time_exceeded (code=0) conn_id: [orig_h=10.0.0.1, orig_p=11/icmp, resp_h=10.0.0.2, resp_p=0/icmp] - icmp_conn: [orig_h=10.0.0.1, resp_h=10.0.0.2, itype=11, icode=0, len=32, hlim=64, v6=F] + icmp_info: [v6=F, itype=11, icode=0, len=32, ttl=64] icmp_context: [id=[orig_h=10.0.0.2, orig_p=30000/udp, resp_h=10.0.0.1, resp_p=13000/udp], len=32, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F] icmp_echo_request (id=34844, seq=0, payload=O\x85\xe0C\x00\x0e\xeb\xff\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567) conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp] - icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, hlim=64, v6=F] + icmp_info: [v6=F, itype=8, icode=0, len=56, ttl=64] icmp_echo_reply (id=34844, seq=0, payload=O\x85\xe0C\x00\x0e\xeb\xff\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567) conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp] - icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, hlim=64, v6=F] + icmp_info: [v6=F, itype=0, icode=0, len=56, ttl=56] icmp_echo_request (id=34844, seq=1, payload=O\x85\xe0D\x00\x0e\xf0}\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567) conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp] - icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, hlim=64, v6=F] + icmp_info: [v6=F, itype=8, icode=0, len=56, ttl=64] icmp_echo_reply (id=34844, seq=1, payload=O\x85\xe0D\x00\x0e\xf0}\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567) conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp] - icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, hlim=64, v6=F] + icmp_info: [v6=F, itype=0, icode=0, len=56, ttl=56] diff --git a/testing/btest/Baseline/core.icmp.icmp6-context/output b/testing/btest/Baseline/core.icmp.icmp6-context/output index 7a83679018..f295164626 100644 --- a/testing/btest/Baseline/core.icmp.icmp6-context/output +++ b/testing/btest/Baseline/core.icmp.icmp6-context/output @@ -1,16 +1,16 @@ icmp_unreachable (code=0) conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp] - icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=0, hlim=64, v6=T] + icmp_info: [v6=T, itype=1, icode=0, len=0, ttl=64] icmp_context: [id=[orig_h=::, orig_p=0/unknown, resp_h=::, resp_p=0/unknown], len=0, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F] icmp_unreachable (code=0) conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp] - icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=40, hlim=64, v6=T] + icmp_info: [v6=T, itype=1, icode=0, len=40, ttl=64] icmp_context: [id=[orig_h=fe80::beef, orig_p=0/unknown, resp_h=fe80::dead, resp_p=0/unknown], len=48, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F] icmp_unreachable (code=0) conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp] - icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=60, hlim=64, v6=T] + icmp_info: [v6=T, itype=1, icode=0, len=60, ttl=64] icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=60, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F] icmp_unreachable (code=0) conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp] - icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=48, hlim=64, v6=T] + icmp_info: [v6=T, itype=1, icode=0, len=48, ttl=64] icmp_context: [id=[orig_h=fe80::beef, orig_p=0/unknown, resp_h=fe80::dead, resp_p=0/unknown], len=48, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F] diff --git a/testing/btest/Baseline/core.icmp.icmp6-events/output b/testing/btest/Baseline/core.icmp.icmp6-events/output index fdb58e5be1..b5a9bc7263 100644 --- a/testing/btest/Baseline/core.icmp.icmp6-events/output +++ b/testing/btest/Baseline/core.icmp.icmp6-events/output @@ -1,46 +1,46 @@ icmp_unreachable (code=0) conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp] - icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=60, hlim=64, v6=T] + icmp_info: [v6=T, itype=1, icode=0, len=60, ttl=64] icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=60, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F] icmp_packet_too_big (code=0) conn_id: [orig_h=fe80::dead, orig_p=2/icmp, resp_h=fe80::beef, resp_p=0/icmp] - icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=2, icode=0, len=52, hlim=64, v6=T] + icmp_info: [v6=T, itype=2, icode=0, len=52, ttl=64] icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F] icmp_time_exceeded (code=0) conn_id: [orig_h=fe80::dead, orig_p=3/icmp, resp_h=fe80::beef, resp_p=0/icmp] - icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=3, icode=0, len=52, hlim=64, v6=T] + icmp_info: [v6=T, itype=3, icode=0, len=52, ttl=64] icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F] icmp_parameter_problem (code=0) conn_id: [orig_h=fe80::dead, orig_p=4/icmp, resp_h=fe80::beef, resp_p=0/icmp] - icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=4, icode=0, len=52, hlim=64, v6=T] + icmp_info: [v6=T, itype=4, icode=0, len=52, ttl=64] icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F] icmp_echo_request (id=1, seq=3, payload=abcdefghijklmnopqrstuvwabcdefghi) conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp] - icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T] + icmp_info: [v6=T, itype=128, icode=0, len=32, ttl=128] icmp_echo_reply (id=1, seq=3, payload=abcdefghijklmnopqrstuvwabcdefghi) conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp] - icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T] + icmp_info: [v6=T, itype=129, icode=0, len=32, ttl=47] icmp_echo_request (id=1, seq=4, payload=abcdefghijklmnopqrstuvwabcdefghi) conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp] - icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T] + icmp_info: [v6=T, itype=128, icode=0, len=32, ttl=128] icmp_echo_reply (id=1, seq=4, payload=abcdefghijklmnopqrstuvwabcdefghi) conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp] - icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T] + icmp_info: [v6=T, itype=129, icode=0, len=32, ttl=47] icmp_echo_request (id=1, seq=5, payload=abcdefghijklmnopqrstuvwabcdefghi) conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp] - icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T] + icmp_info: [v6=T, itype=128, icode=0, len=32, ttl=128] icmp_echo_reply (id=1, seq=5, payload=abcdefghijklmnopqrstuvwabcdefghi) conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp] - icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T] + icmp_info: [v6=T, itype=129, icode=0, len=32, ttl=47] icmp_echo_request (id=1, seq=6, payload=abcdefghijklmnopqrstuvwabcdefghi) conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp] - icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T] + icmp_info: [v6=T, itype=128, icode=0, len=32, ttl=128] icmp_echo_reply (id=1, seq=6, payload=abcdefghijklmnopqrstuvwabcdefghi) conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp] - icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T] + icmp_info: [v6=T, itype=129, icode=0, len=32, ttl=47] icmp_redirect (tgt=fe80::cafe, dest=fe80::babe) conn_id: [orig_h=fe80::dead, orig_p=137/icmp, resp_h=fe80::beef, resp_p=0/icmp] - icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=137, icode=0, len=32, hlim=255, v6=T] + icmp_info: [v6=T, itype=137, icode=0, len=32, ttl=255] options: [] icmp_router_advertisement cur_hop_limit=13 @@ -54,20 +54,20 @@ icmp_router_advertisement reachable_time=3.0 secs 700.0 msecs retrans_timer=1.0 sec 300.0 msecs conn_id: [orig_h=fe80::dead, orig_p=134/icmp, resp_h=fe80::beef, resp_p=133/icmp] - icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=134, icode=0, len=8, hlim=255, v6=T] + icmp_info: [v6=T, itype=134, icode=0, len=8, ttl=255] options: [] icmp_neighbor_advertisement (tgt=fe80::babe) router=T solicited=F override=T conn_id: [orig_h=fe80::dead, orig_p=136/icmp, resp_h=fe80::beef, resp_p=135/icmp] - icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=136, icode=0, len=16, hlim=255, v6=T] + icmp_info: [v6=T, itype=136, icode=0, len=16, ttl=255] options: [] icmp_router_solicitation conn_id: [orig_h=fe80::dead, orig_p=133/icmp, resp_h=fe80::beef, resp_p=134/icmp] - icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=133, icode=0, len=0, hlim=255, v6=T] + icmp_info: [v6=T, itype=133, icode=0, len=0, ttl=255] options: [] icmp_neighbor_solicitation (tgt=fe80::babe) conn_id: [orig_h=fe80::dead, orig_p=135/icmp, resp_h=fe80::beef, resp_p=136/icmp] - icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=135, icode=0, len=16, hlim=255, v6=T] + icmp_info: [v6=T, itype=135, icode=0, len=16, ttl=255] options: [] diff --git a/testing/btest/Baseline/core.icmp.icmp_sent/out b/testing/btest/Baseline/core.icmp.icmp_sent/out index cf8fe9e4e1..42457061ba 100644 --- a/testing/btest/Baseline/core.icmp.icmp_sent/out +++ b/testing/btest/Baseline/core.icmp.icmp_sent/out @@ -1,2 +1,2 @@ -icmp_sent, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [orig_h=fe80::2c23:b96c:78d:e116, resp_h=ff02::16, itype=143, icode=0, len=20, hlim=1, v6=T] -icmp_sent_payload, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [orig_h=fe80::2c23:b96c:78d:e116, resp_h=ff02::16, itype=143, icode=0, len=20, hlim=1, v6=T], 20 +icmp_sent, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [v6=T, itype=143, icode=0, len=20, ttl=1] +icmp_sent_payload, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [v6=T, itype=143, icode=0, len=20, ttl=1], 20 diff --git a/testing/btest/bifs/get_current_packet_header.zeek b/testing/btest/bifs/get_current_packet_header.zeek index 8efa727e11..aeca5a8bdc 100644 --- a/testing/btest/bifs/get_current_packet_header.zeek +++ b/testing/btest/bifs/get_current_packet_header.zeek @@ -1,8 +1,8 @@ # @TEST-EXEC: zeek -C -r $TRACES/icmp/icmp6-neighbor-solicit.pcap %INPUT > output # @TEST-EXEC: btest-diff output -event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options) +event icmp_neighbor_solicitation(c: connection, info: icmp_info, tgt: addr, options: icmp6_nd_options) { local hdr: raw_pkt_hdr = get_current_packet_header(); print fmt("%s", hdr); - } \ No newline at end of file + } diff --git a/testing/btest/core/icmp/icmp-context.test b/testing/btest/core/icmp/icmp-context.test index 58e696cf9c..b88ea2e473 100644 --- a/testing/btest/core/icmp/icmp-context.test +++ b/testing/btest/core/icmp/icmp-context.test @@ -5,10 +5,10 @@ # @TEST-EXEC: zeek -b -r $TRACES/icmp/icmp-destunreach-udp.pcap %INPUT >>output 2>&1 # @TEST-EXEC: btest-diff output -event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context) +event icmp_unreachable(c: connection, info: icmp_info, code: count, context: icmp_context) { print "icmp_unreachable (code=" + fmt("%d", code) + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " icmp_context: " + fmt("%s", context); } diff --git a/testing/btest/core/icmp/icmp-events.test b/testing/btest/core/icmp/icmp-events.test index 3aa0ee1177..5504e8dd3e 100644 --- a/testing/btest/core/icmp/icmp-events.test +++ b/testing/btest/core/icmp/icmp-events.test @@ -6,39 +6,39 @@ # @TEST-EXEC: btest-diff output -event icmp_sent(c: connection, icmp: icmp_conn) +event icmp_sent(c: connection, info: icmp_info) { print "icmp_sent"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); } -event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) +event icmp_echo_request(c: connection, info: icmp_info, id: count, seq: count, payload: string) { print "icmp_echo_request (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); } -event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) +event icmp_echo_reply(c: connection, info: icmp_info, id: count, seq: count, payload: string) { print "icmp_echo_reply (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); } -event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context) +event icmp_unreachable(c: connection, info: icmp_info, code: count, context: icmp_context) { print "icmp_unreachable (code=" + fmt("%d", code) + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " icmp_context: " + fmt("%s", context); } -event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context) +event icmp_time_exceeded(c: connection, info: icmp_info, code: count, context: icmp_context) { print "icmp_time_exceeded (code=" + fmt("%d", code) + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " icmp_context: " + fmt("%s", context); } diff --git a/testing/btest/core/icmp/icmp6-context.test b/testing/btest/core/icmp/icmp6-context.test index 66d57b527b..9c50aa6ccc 100644 --- a/testing/btest/core/icmp/icmp6-context.test +++ b/testing/btest/core/icmp/icmp6-context.test @@ -6,10 +6,10 @@ # @TEST-EXEC: zeek -b -r $TRACES/icmp/icmp6-destunreach-ip6ext.pcap %INPUT >>output 2>&1 # @TEST-EXEC: btest-diff output -event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context) +event icmp_unreachable(c: connection, info: icmp_info, code: count, context: icmp_context) { print "icmp_unreachable (code=" + fmt("%d", code) + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " icmp_context: " + fmt("%s", context); } diff --git a/testing/btest/core/icmp/icmp6-events.test b/testing/btest/core/icmp/icmp6-events.test index 6174e697fd..374a15150b 100644 --- a/testing/btest/core/icmp/icmp6-events.test +++ b/testing/btest/core/icmp/icmp6-events.test @@ -13,103 +13,103 @@ # @TEST-EXEC: btest-diff output -event icmp_sent(c: connection, icmp: icmp_conn) +event icmp_sent(c: connection, info: icmp_info) { print "icmp_sent"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); } -event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) +event icmp_echo_request(c: connection, info: icmp_info, id: count, seq: count, payload: string) { print "icmp_echo_request (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); } -event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) +event icmp_echo_reply(c: connection, info: icmp_info, id: count, seq: count, payload: string) { print "icmp_echo_reply (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); } -event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context) +event icmp_unreachable(c: connection, info: icmp_info, code: count, context: icmp_context) { print "icmp_unreachable (code=" + fmt("%d", code) + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " icmp_context: " + fmt("%s", context); } -event icmp_packet_too_big(c: connection, icmp: icmp_conn, code: count, context: icmp_context) +event icmp_packet_too_big(c: connection, info: icmp_info, code: count, context: icmp_context) { print "icmp_packet_too_big (code=" + fmt("%d", code) + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " icmp_context: " + fmt("%s", context); } -event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context) +event icmp_time_exceeded(c: connection, info: icmp_info, code: count, context: icmp_context) { print "icmp_time_exceeded (code=" + fmt("%d", code) + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " icmp_context: " + fmt("%s", context); } -event icmp_parameter_problem(c: connection, icmp: icmp_conn, code: count, context: icmp_context) +event icmp_parameter_problem(c: connection, info: icmp_info, code: count, context: icmp_context) { print "icmp_parameter_problem (code=" + fmt("%d", code) + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " icmp_context: " + fmt("%s", context); } -event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options) +event icmp_redirect(c: connection, info: icmp_info, tgt: addr, dest: addr, options: icmp6_nd_options) { print "icmp_redirect (tgt=" + fmt("%s", tgt) + ", dest=" + fmt("%s", dest) + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " options: " + fmt("%s", options); } -event icmp_error_message(c: connection, icmp: icmp_conn, code: count, context: icmp_context) +event icmp_error_message(c: connection, info: icmp_info, code: count, context: icmp_context) { print "icmp_error_message (code=" + fmt("%d", code) + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " icmp_context: " + fmt("%s", context); } -event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options) +event icmp_neighbor_solicitation(c: connection, info: icmp_info, tgt: addr, options: icmp6_nd_options) { print "icmp_neighbor_solicitation (tgt=" + fmt("%s", tgt) + ")"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " options: " + fmt("%s", options); } -event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options) +event icmp_neighbor_advertisement(c: connection, info: icmp_info, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options) { print "icmp_neighbor_advertisement (tgt=" + fmt("%s", tgt) + ")"; print " router=" + fmt("%s", router); print " solicited=" + fmt("%s", solicited); print " override=" + fmt("%s", override); print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " options: " + fmt("%s", options); } -event icmp_router_solicitation(c: connection, icmp: icmp_conn, options: icmp6_nd_options) +event icmp_router_solicitation(c: connection, info: icmp_info, options: icmp6_nd_options) { print "icmp_router_solicitation"; print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " options: " + fmt("%s", options); } -event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options) +event icmp_router_advertisement(c: connection, info: icmp_info, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options) { print "icmp_router_advertisement"; print " cur_hop_limit=" + fmt("%s", cur_hop_limit); @@ -123,6 +123,6 @@ event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: c print " reachable_time=" + fmt("%s", reachable_time); print " retrans_timer=" + fmt("%s", retrans_timer); print " conn_id: " + fmt("%s", c$id); - print " icmp_conn: " + fmt("%s", icmp); + print " icmp_info: " + fmt("%s", info); print " options: " + fmt("%s", options); } diff --git a/testing/btest/core/icmp/icmp6-nd-options.test b/testing/btest/core/icmp/icmp6-nd-options.test index 93f1931524..4defa83b09 100644 --- a/testing/btest/core/icmp/icmp6-nd-options.test +++ b/testing/btest/core/icmp/icmp6-nd-options.test @@ -5,7 +5,7 @@ # @TEST-EXEC: btest-diff output -event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options) +event icmp_router_advertisement(c: connection, info: icmp_info, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options) { print "icmp_router_advertisement options"; for ( o in options ) @@ -17,7 +17,7 @@ event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: c } } -event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options) +event icmp_neighbor_advertisement(c: connection, info: icmp_info, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options) { print "icmp_neighbor_advertisement options"; for ( o in options ) @@ -27,7 +27,7 @@ event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, } } -event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options) +event icmp_redirect(c: connection, info: icmp_info, tgt: addr, dest: addr, options: icmp6_nd_options) { print "icmp_redirect options"; for ( o in options ) diff --git a/testing/btest/core/icmp/icmp_sent.zeek b/testing/btest/core/icmp/icmp_sent.zeek index 72e6ab543b..5ca4be7b3d 100644 --- a/testing/btest/core/icmp/icmp_sent.zeek +++ b/testing/btest/core/icmp/icmp_sent.zeek @@ -1,12 +1,12 @@ # @TEST-EXEC: zeek -b -r $TRACES/icmp/icmp_sent.pcap %INPUT >out # @TEST-EXEC: btest-diff out -event icmp_sent(c: connection, icmp: icmp_conn) +event icmp_sent(c: connection, info: icmp_info) { - print "icmp_sent", c$id, icmp; + print "icmp_sent", c$id, info; } -event icmp_sent_payload(c: connection, icmp: icmp_conn, payload: string) +event icmp_sent_payload(c: connection, info: icmp_info, payload: string) { - print "icmp_sent_payload", c$id, icmp, |payload|; + print "icmp_sent_payload", c$id, info, |payload|; } diff --git a/testing/btest/core/tunnels/gre-erspan3-dot1q.zeek b/testing/btest/core/tunnels/gre-erspan3-dot1q.zeek index 1b572a007a..caeb9cfc2d 100644 --- a/testing/btest/core/tunnels/gre-erspan3-dot1q.zeek +++ b/testing/btest/core/tunnels/gre-erspan3-dot1q.zeek @@ -1,12 +1,12 @@ # @TEST-EXEC: zeek -b -r $TRACES/tunnels/gre-erspan3-dot1q.pcap %INPUT > out # @TEST-EXEC: btest-diff out -event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) +event icmp_echo_request(c: connection, info: icmp_info, id: count, seq: count, payload: string) { print "echo request", id, seq; } -event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) +event icmp_echo_reply(c: connection, info: icmp_info, id: count, seq: count, payload: string) { print "echo reply", id, seq; }