Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 17:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Extract ICMPv6 NDP options and include in ICMP events (addresses #833).

Browse source 
This adds a new parameter of type "icmp6_nd_options" to the ICMPv6
neighbor discovery events (icmp_redirect, icmp_router_solicitation,
icmp_router_advertisement, icmp_neighbor_solicitation,
icmp_neighbor_advertisement) which includes data extracted from
all neighbor discovery options (RFC 4861) that are present in the
ICMPv6 message.
This commit is contained in:
Jon Siwek 2012-06-26 16:59:56 -05:00
parent c3b9a2a29c
commit 9ae9b2aa4d
10 changed files with 321 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

5
testing/btest/Baseline/core.icmp.icmp6-events/output
View file

@ -41,6 +41,7 @@ icmp_echo_reply (id=1, seq=6, payload=abcdefghijklmnopqrstuvwabcdefghi)
icmp_redirect (tgt=fe80::cafe, dest=fe80::babe)
conn_id: [orig_h=fe80::dead, orig_p=137/icmp, resp_h=fe80::beef, resp_p=0/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=137, icode=0, len=32, hlim=255, v6=T]
options: []
icmp_router_advertisement
cur_hop_limit=13
managed=T
@ -54,15 +55,19 @@ icmp_router_advertisement
retrans_timer=1.0 sec 300.0 msecs
conn_id: [orig_h=fe80::dead, orig_p=134/icmp, resp_h=fe80::beef, resp_p=133/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=134, icode=0, len=8, hlim=255, v6=T]
options: []
icmp_neighbor_advertisement (tgt=fe80::babe)
router=T
solicited=F
override=T
conn_id: [orig_h=fe80::dead, orig_p=136/icmp, resp_h=fe80::beef, resp_p=135/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=136, icode=0, len=16, hlim=255, v6=T]
options: []
icmp_router_solicitation
conn_id: [orig_h=fe80::dead, orig_p=133/icmp, resp_h=fe80::beef, resp_p=134/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=133, icode=0, len=0, hlim=255, v6=T]
options: []
icmp_neighbor_solicitation (tgt=fe80::babe)
conn_id: [orig_h=fe80::dead, orig_p=135/icmp, resp_h=fe80::beef, resp_p=136/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=135, icode=0, len=16, hlim=255, v6=T]
options: []

28
testing/btest/Baseline/core.icmp.icmp6-nd-options/output Normal file
View file

@ -0,0 +1,28 @@
icmp_redirect options
[otype=4, len=8, link_address=<uninitialized>, prefix=<uninitialized>, redirect=[id=[orig_h=fe80::aaaa, orig_p=30000/udp, resp_h=fe80::bbbb, resp_p=13000/udp], len=56, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F], mtu=<uninitialized>, payload=<uninitialized>]
icmp_neighbor_advertisement options
[otype=2, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
MAC: c20054f50000
icmp_router_advertisement options
[otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
MAC: c20054f50000
[otype=5, len=1, link_address=<uninitialized>, prefix=<uninitialized>, redirect=<uninitialized>, mtu=1500, payload=<uninitialized>]
[otype=3, len=4, link_address=<uninitialized>, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
icmp_neighbor_advertisement options
[otype=2, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
MAC: c20054f50000
icmp_router_advertisement options
[otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
MAC: c20054f50000
[otype=5, len=1, link_address=<uninitialized>, prefix=<uninitialized>, redirect=<uninitialized>, mtu=1500, payload=<uninitialized>]
[otype=3, len=4, link_address=<uninitialized>, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
icmp_router_advertisement options
[otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
MAC: c20054f50000
[otype=5, len=1, link_address=<uninitialized>, prefix=<uninitialized>, redirect=<uninitialized>, mtu=1500, payload=<uninitialized>]
[otype=3, len=4, link_address=<uninitialized>, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
icmp_router_advertisement options
[otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
MAC: c20054f50000
[otype=5, len=1, link_address=<uninitialized>, prefix=<uninitialized>, redirect=<uninitialized>, mtu=1500, payload=<uninitialized>]
[otype=3, len=4, link_address=<uninitialized>, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]

BIN
testing/btest/Traces/icmp/icmp6-nd-options.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/icmp/icmp6-redirect-hdr-opt.pcap Normal file
View file

Binary file not shown.

15
testing/btest/core/icmp/icmp6-events.test
View file

@ -66,11 +66,12 @@ event icmp_parameter_problem(c: connection, icmp: icmp_conn, code: count, contex
print " icmp_context: " + fmt("%s", context);
}
event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr)
event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options)
{
print "icmp_redirect (tgt=" + fmt("%s", tgt) + ", dest=" + fmt("%s", dest) + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " options: " + fmt("%s", options);
}
event icmp_error_message(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
@ -81,14 +82,15 @@ event icmp_error_message(c: connection, icmp: icmp_conn, code: count, context: i
print " icmp_context: " + fmt("%s", context);
}
event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr)
event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options)
{
print "icmp_neighbor_solicitation (tgt=" + fmt("%s", tgt) + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " options: " + fmt("%s", options);
}
event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr)
event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)
{
print "icmp_neighbor_advertisement (tgt=" + fmt("%s", tgt) + ")";
print " router=" + fmt("%s", router);
@ -96,16 +98,18 @@ event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool,
print " override=" + fmt("%s", override);
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " options: " + fmt("%s", options);
}
event icmp_router_solicitation(c: connection, icmp: icmp_conn)
event icmp_router_solicitation(c: connection, icmp: icmp_conn, options: icmp6_nd_options)
{
print "icmp_router_solicitation";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " options: " + fmt("%s", options);
}
event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval)
event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)
{
print "icmp_router_advertisement";
print " cur_hop_limit=" + fmt("%s", cur_hop_limit);
@ -120,4 +124,5 @@ event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: c
print " retrans_timer=" + fmt("%s", retrans_timer);
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " options: " + fmt("%s", options);
}

35
testing/btest/core/icmp/icmp6-nd-options.test Normal file
View file

@ -0,0 +1,35 @@
# These tests all check that ICMP6 events get raised with correct arguments.
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-redirect-hdr-opt.pcap %INPUT >>output 2>&1
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-nd-options.pcap %INPUT >>output 2>&1
# @TEST-EXEC: btest-diff output
event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)
{
print "icmp_router_advertisement options";
for ( o in options )
{
print fmt(" %s", options[o]);
if ( options[o]$otype == 1 && options[o]?$link_address )
print fmt(" MAC: %s",
string_to_ascii_hex(options[o]$link_address));
}
}
event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)
{
print "icmp_neighbor_advertisement options";
for ( o in options )
{
print fmt(" %s", options[o]);
if ( options[o]$otype == 2 && options[o]?$link_address ) print fmt(" MAC: %s", string_to_ascii_hex(options[o]$link_address));
}
}
event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options)
{
print "icmp_redirect options";
for ( o in options )
print fmt(" %s", options[o]);
}