Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 05:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

QUIC: Parse all QUIC packets in a UDP datagram

Browse source 
A UDP datagram may contain multiple QUIC packets, but the parser so far
handled only the very first packet, ignoring any subsequent packets.

Fixes #4198
This commit is contained in:
Arne Welzel 2025-01-31 14:22:13 +01:00
parent 744917aa69
commit 6a14e64a17
15 changed files with 57 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

2
testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log
View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
#types time string addr port addr port string string string string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 53727 110.213.53.115 443 1 95412c47018cdfe8 (empty) d5412c47018cdfe8 api.cirrus-ci.com h3 ISisH
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 53727 110.213.53.115 443 1 95412c47018cdfe8 (empty) d5412c47018cdfe8 api.cirrus-ci.com h3 ISishH
#close XXXX-XX-XX-XX-XX-XX

3
testing/btest/Baseline/scripts.base.protocols.quic.events/out
View file

@ -4,17 +4,20 @@
1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 1b036a11,
1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , fc674735
1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735
1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735
1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, fc674735,
1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, ef3a4e06,
zerortt.pcap
1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, b7c7841c64883e3261d840,
1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , 8d2041ac
1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac
1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac
1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 8d2041ac,
1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, 5b7bc400,
1.0, initial_packet, CtPZjS20MLrsMUOJi2, T, 1, 15ae5e5e4962163f410b5529fc125bbc,
1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc,
1.0, initial_packet, CtPZjS20MLrsMUOJi2, F, 1, , e483a751
1.0, handshake_packet, F, CtPZjS20MLrsMUOJi2, 1, , e483a751
1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc,
1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc,
1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc,

2
testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log
View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
#types time string addr port addr port string string string string string string string
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 40084 193.167.100.100 443 1 a771f6161a4072c0bf10 (empty) 5911deff server4:443 hq-interop ISishIH
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 40084 193.167.100.100 443 1 a771f6161a4072c0bf10 (empty) 5911deff server4:443 hq-interop ISishhIH
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log
View file

@ -8,5 +8,5 @@
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
#types time string addr port addr port string string string string string string string
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 4a8294bf9201d6cf (empty) - server4:443 hq-interop ISr
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 1b036a11 (empty) fc674735 server4:443 hq-interop ISishIH
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 1b036a11 (empty) fc674735 server4:443 hq-interop ISishhIH
#close XXXX-XX-XX-XX-XX-XX

4
testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log
View file

@ -7,6 +7,6 @@
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
#types time string addr port addr port string string string string string string string
1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc (empty) e483a751 server4:443 hq-interop ISZisZZZZZZZZZZZZZZZZZZZZZZZZZZZIH
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 60492 193.167.100.100 443 1 b7c7841c64883e3261d840 (empty) 8d2041ac server4:443 hq-interop ISishIH
1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc (empty) e483a751 server4:443 hq-interop ISZishZZZZZZZZZZZZZZZZZZZZZZZZZZZIH
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 60492 193.167.100.100 443 1 b7c7841c64883e3261d840 (empty) 8d2041ac server4:443 hq-interop ISishhIH
#close XXXX-XX-XX-XX-XX-XX

3
testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid history service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl

11
testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/quic.log Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path quic
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
#types time string addr port addr port string string string string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.4 53241 24.199.110.233 443 1 f21fdf87f736f235846c7f460ca017 1b3ff910 eab5f6f4 - h3 ISishhIH
#close XXXX-XX-XX-XX-XX-XX

11
testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/ssl.log Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssl
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps sni_matches_cert
#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.4 53241 24.199.110.233 443 TLSv13 TLS_AES_128_GCM_SHA256 x25519 - F - - F Cs - - -
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log
View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
#types time string addr port addr port string string string string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46907 127.0.0.1 853 1 fda05288ab9ff546 0fb934775f247b8e a31f4933d8727231 - doq ISishH
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46907 127.0.0.1 853 1 fda05288ab9ff546 0fb934775f247b8e a31f4933d8727231 - doq ISishhH
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log
View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
#types time string addr port addr port string string string string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 49320 127.0.0.1 443 quicv2 fa603212c8688817af3d3238735bc7 (empty) b168b5cc localhost quic-echo-example ISIIisIH
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 49320 127.0.0.1 443 quicv2 fa603212c8688817af3d3238735bc7 (empty) b168b5cc localhost quic-echo-example ISIIishIH
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log
View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
#types time string addr port addr port string string string string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50841 127.0.0.1 443 quicv2 bdf0c5b27927cc667e58d95b 71b8f3f4 cdc8b6e6 - h3 ISishIHH
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50841 127.0.0.1 443 quicv2 bdf0c5b27927cc667e58d95b 71b8f3f4 cdc8b6e6 - h3 ISishhIHH
#close XXXX-XX-XX-XX-XX-XX

3
testing/btest/Traces/README
View file

@ -38,3 +38,6 @@ Trace Index/Sources:
- http/docker-http-upgrade.pcap
Provided by blightzero on #4068
https://github.com/zeek/zeek/issues/4068
- quic/merlinc2_Zeek_example.pcapng
Provided by Faan Rossouw on #4198
https://github.com/zeek/zeek/issues/4198

BIN
testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng Normal file
View file

Binary file not shown.

8
testing/btest/scripts/base/protocols/quic/merlinc2.zeek Normal file
View file

@ -0,0 +1,8 @@
# @TEST-DOC: Test PCAP for Merlin C2 from issue #4198
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -Cr $TRACES/quic/merlinc2_Zeek_example.pcapng base/protocols/quic
# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
# @TEST-EXEC: btest-diff conn.log.cut
# @TEST-EXEC: btest-diff ssl.log
# @TEST-EXEC: btest-diff quic.log