mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 15:48:19 +00:00
Extract ICMPv6 NDP options and include in ICMP events (addresses #833).
This adds a new parameter of type "icmp6_nd_options" to the ICMPv6 neighbor discovery events (icmp_redirect, icmp_router_solicitation, icmp_router_advertisement, icmp_neighbor_solicitation, icmp_neighbor_advertisement) which includes data extracted from all neighbor discovery options (RFC 4861) that are present in the ICMPv6 message.
This commit is contained in:
Jon Siwek
parent
c3b9a2a29c
commit
9ae9b2aa4d
10 changed files with 321 additions and 39 deletions
|
|
@ -115,6 +115,61 @@ type icmp_context: record {
|
|||
DF: bool; ##< True if the packets *don't fragment* flag is set.
|
||||
};
|
||||
|
||||
## Values extracted from a Prefix Information option in an ICMPv6 neighbor
|
||||
## discovery message as specified by :rfc:`4861`.
|
||||
##
|
||||
## .. bro:see:: icmp6_nd_option
|
||||
type icmp6_nd_prefix_info: record {
|
||||
## Number of leading bits of the *prefix* that are valid.
|
||||
prefix_len: count;
|
||||
## Flag indicating the prefix can be used for on-link determination.
|
||||
L_flag: bool;
|
||||
## Autonomous address-configuration flag.
|
||||
A_flag: bool;
|
||||
## Length of time in seconds that the prefix is valid for purpose of
|
||||
## on-link determination (0xffffffff represents infinity).
|
||||
valid_lifetime: interval;
|
||||
## Length of time in seconds that the addresses generated from the prefix
|
||||
## via stateless address autoconfiguration remain preferred
|
||||
## (0xffffffff represents infinity).
|
||||
preferred_lifetime: interval;
|
||||
## An IP address or prefix of an IP address. Use the *prefix_len* field
|
||||
## to convert this into a :bro:type:`subnet`.
|
||||
prefix: addr;
|
||||
};
|
||||
|
||||
## Options extracted from ICMPv6 neighbor discovery messages as specified
|
||||
## by :rfc:`4861`.
|
||||
##
|
||||
## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
|
||||
## icmp_neighbor_advertisement icmp_neighbor_solicitation icmp_redirect
|
||||
## icmp6_nd_options
|
||||
type icmp6_nd_option: record {
|
||||
## 8-bit identifier of the type of option.
|
||||
otype: count;
|
||||
## 8-bit integer representing the length of the option (including the type
|
||||
## and length fields) in units of 8 octets.
|
||||
len: count;
|
||||
## Source Link-Layer Address (Type 1) or Target Link-Layer Address (Type 2).
|
||||
## Byte ordering of this is dependent on the actual link-layer.
|
||||
link_address: string &optional;
|
||||
## Prefix Information (Type 3).
|
||||
prefix: icmp6_nd_prefix_info &optional;
|
||||
## Redirected header (Type 4). This field contains the context of the
|
||||
## original, redirected packet.
|
||||
redirect: icmp_context &optional;
|
||||
## Recommended MTU for the link (Type 5).
|
||||
mtu: count &optional;
|
||||
## The raw data of the option (everything after type & length fields),
|
||||
## useful for unknown option types or when the full option payload is
|
||||
## truncated in the captured packet. In those cases, option fields
|
||||
## won't be pre-extracted into the fields above.
|
||||
payload: string &optional;
|
||||
};
|
||||
|
||||
## A type alias for a vector of ICMPv6 neighbor discovery message options.
|
||||
type icmp6_nd_options: vector of icmp6_nd_option;
|
||||
|
||||
# A DNS mapping between IP address and hostname resolved by Bro's internal
|
||||
# resolver.
|
||||
#
|
||||
|
|
|
|||
193
src/ICMP.cc
193
src/ICMP.cc
|
|
@ -169,8 +169,10 @@ void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int c
|
|||
NeighborSolicit(t, icmpp, len, caplen, data, ip_hdr);
|
||||
break;
|
||||
case ND_ROUTER_SOLICIT:
|
||||
RouterSolicit(t, icmpp, len, caplen, data, ip_hdr);
|
||||
break;
|
||||
case ICMP6_ROUTER_RENUMBERING:
|
||||
Router(t, icmpp, len, caplen, data, ip_hdr);
|
||||
ICMPEvent(icmp_sent, icmpp, len, 1, ip_hdr);
|
||||
break;
|
||||
|
||||
#if 0
|
||||
|
|
@ -515,9 +517,11 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
|
|||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
|
||||
{
|
||||
EventHandlerPtr f = icmp_router_advertisement;
|
||||
uint32 reachable, retrans;
|
||||
uint32 reachable = 0, retrans = 0;
|
||||
|
||||
if ( caplen >= (int)sizeof(reachable) )
|
||||
memcpy(&reachable, data, sizeof(reachable));
|
||||
if ( caplen >= (int)sizeof(reachable) + (int)sizeof(retrans) )
|
||||
memcpy(&retrans, data + sizeof(reachable), sizeof(retrans));
|
||||
|
||||
val_list* vl = new val_list;
|
||||
|
|
@ -534,6 +538,9 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
|
|||
vl->append(new IntervalVal((double)ntohl(reachable), Milliseconds));
|
||||
vl->append(new IntervalVal((double)ntohl(retrans), Milliseconds));
|
||||
|
||||
int opt_offset = sizeof(reachable) + sizeof(retrans);
|
||||
vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
|
||||
|
||||
ConnectionEvent(f, vl);
|
||||
}
|
||||
|
||||
|
|
@ -542,9 +549,10 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
|
|||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
|
||||
{
|
||||
EventHandlerPtr f = icmp_neighbor_advertisement;
|
||||
in6_addr tgtaddr;
|
||||
IPAddr tgtaddr;
|
||||
|
||||
memcpy(&tgtaddr.s6_addr, data, sizeof(tgtaddr.s6_addr));
|
||||
if ( caplen >= (int)sizeof(in6_addr) )
|
||||
tgtaddr = IPAddr(*((const in6_addr*)data));
|
||||
|
||||
val_list* vl = new val_list;
|
||||
vl->append(BuildConnVal());
|
||||
|
|
@ -552,7 +560,10 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
|
|||
vl->append(new Val(icmpp->icmp_num_addrs & 0x80, TYPE_BOOL)); // Router
|
||||
vl->append(new Val(icmpp->icmp_num_addrs & 0x40, TYPE_BOOL)); // Solicited
|
||||
vl->append(new Val(icmpp->icmp_num_addrs & 0x20, TYPE_BOOL)); // Override
|
||||
vl->append(new AddrVal(IPAddr(tgtaddr)));
|
||||
vl->append(new AddrVal(tgtaddr));
|
||||
|
||||
int opt_offset = sizeof(in6_addr);
|
||||
vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
|
||||
|
||||
ConnectionEvent(f, vl);
|
||||
}
|
||||
|
|
@ -562,14 +573,18 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
|
|||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
|
||||
{
|
||||
EventHandlerPtr f = icmp_neighbor_solicitation;
|
||||
in6_addr tgtaddr;
|
||||
IPAddr tgtaddr;
|
||||
|
||||
memcpy(&tgtaddr.s6_addr, data, sizeof(tgtaddr.s6_addr));
|
||||
if ( caplen >= (int)sizeof(in6_addr) )
|
||||
tgtaddr = IPAddr(*((const in6_addr*)data));
|
||||
|
||||
val_list* vl = new val_list;
|
||||
vl->append(BuildConnVal());
|
||||
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
|
||||
vl->append(new AddrVal(IPAddr(tgtaddr)));
|
||||
vl->append(new AddrVal(tgtaddr));
|
||||
|
||||
int opt_offset = sizeof(in6_addr);
|
||||
vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
|
||||
|
||||
ConnectionEvent(f, vl);
|
||||
}
|
||||
|
|
@ -579,40 +594,35 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
|
|||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
|
||||
{
|
||||
EventHandlerPtr f = icmp_redirect;
|
||||
in6_addr tgtaddr, dstaddr;
|
||||
IPAddr tgtaddr, dstaddr;
|
||||
|
||||
memcpy(&tgtaddr.s6_addr, data, sizeof(tgtaddr.s6_addr));
|
||||
memcpy(&dstaddr.s6_addr, data + sizeof(tgtaddr.s6_addr), sizeof(dstaddr.s6_addr));
|
||||
if ( caplen >= (int)sizeof(in6_addr) )
|
||||
tgtaddr = IPAddr(*((const in6_addr*)data));
|
||||
if ( caplen >= 2 * (int)sizeof(in6_addr) )
|
||||
dstaddr = IPAddr(*((const in6_addr*)(data + sizeof(in6_addr))));
|
||||
|
||||
val_list* vl = new val_list;
|
||||
vl->append(BuildConnVal());
|
||||
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
|
||||
vl->append(new AddrVal(IPAddr(tgtaddr)));
|
||||
vl->append(new AddrVal(IPAddr(dstaddr)));
|
||||
vl->append(new AddrVal(tgtaddr));
|
||||
vl->append(new AddrVal(dstaddr));
|
||||
|
||||
int opt_offset = 2 * sizeof(in6_addr);
|
||||
vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
|
||||
|
||||
ConnectionEvent(f, vl);
|
||||
}
|
||||
|
||||
|
||||
void ICMP_Analyzer::Router(double t, const struct icmp* icmpp, int len,
|
||||
void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
|
||||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
|
||||
{
|
||||
EventHandlerPtr f = 0;
|
||||
|
||||
switch ( icmpp->icmp_type )
|
||||
{
|
||||
case ND_ROUTER_SOLICIT:
|
||||
f = icmp_router_solicitation;
|
||||
break;
|
||||
case ICMP6_ROUTER_RENUMBERING:
|
||||
default:
|
||||
ICMPEvent(icmp_sent, icmpp, len, 1, ip_hdr);
|
||||
return;
|
||||
}
|
||||
EventHandlerPtr f = icmp_router_solicitation;
|
||||
|
||||
val_list* vl = new val_list;
|
||||
vl->append(BuildConnVal());
|
||||
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
|
||||
vl->append(BuildNDOptionsVal(caplen, data));
|
||||
|
||||
ConnectionEvent(f, vl);
|
||||
}
|
||||
|
|
@ -685,6 +695,137 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
|
|||
}
|
||||
}
|
||||
|
||||
VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
|
||||
{
|
||||
static RecordType* icmp6_nd_option_type = 0;
|
||||
static RecordType* icmp6_nd_prefix_info_type = 0;
|
||||
if ( ! icmp6_nd_option_type )
|
||||
{
|
||||
icmp6_nd_option_type = internal_type("icmp6_nd_option")->AsRecordType();
|
||||
icmp6_nd_prefix_info_type =
|
||||
internal_type("icmp6_nd_prefix_info")->AsRecordType();
|
||||
}
|
||||
|
||||
VectorVal* vv = new VectorVal(
|
||||
internal_type("icmp6_nd_options")->AsVectorType());
|
||||
|
||||
while ( caplen > 0 )
|
||||
{
|
||||
// Must have at least type & length to continue parsing options.
|
||||
if ( caplen < 2 )
|
||||
{
|
||||
Weird("truncated_ICMPv6_ND_options");
|
||||
break;
|
||||
}
|
||||
|
||||
uint8 type = *((const uint8*)data);
|
||||
uint8 length = *((const uint8*)(data + 1));
|
||||
|
||||
if ( length == 0 )
|
||||
{
|
||||
Weird("zero_length_ICMPv6_ND_option");
|
||||
break;
|
||||
}
|
||||
|
||||
RecordVal* rv = new RecordVal(icmp6_nd_option_type);
|
||||
rv->Assign(0, new Val(type, TYPE_COUNT));
|
||||
rv->Assign(1, new Val(length, TYPE_COUNT));
|
||||
|
||||
// adjust length to be in units of bytes, exclude type/length fields
|
||||
length = length * 8 - 2;
|
||||
|
||||
data += 2;
|
||||
caplen -= 2;
|
||||
|
||||
bool set_payload_field = false;
|
||||
// Only parse out known options that are there in full.
|
||||
switch ( type ) {
|
||||
case 1:
|
||||
case 2:
|
||||
// Source/Target Link-layer Address option
|
||||
{
|
||||
if ( caplen >= length )
|
||||
{
|
||||
BroString* link_addr = new BroString(data, length, 0);
|
||||
rv->Assign(2, new StringVal(link_addr));
|
||||
}
|
||||
else
|
||||
set_payload_field = true;
|
||||
}
|
||||
break;
|
||||
|
||||
case 3:
|
||||
// Prefix Information option
|
||||
{
|
||||
if ( caplen >= 30 )
|
||||
{
|
||||
RecordVal* info = new RecordVal(icmp6_nd_prefix_info_type);
|
||||
uint8 prefix_len = *((const uint8*)(data));
|
||||
bool L_flag = (*((const uint8*)(data + 1)) & 0x80) != 0;
|
||||
bool A_flag = (*((const uint8*)(data + 1)) & 0x40) != 0;
|
||||
uint32 valid_life = *((const uint32*)(data + 2));
|
||||
uint32 prefer_life = *((const uint32*)(data + 6));
|
||||
in6_addr prefix = *((const in6_addr*)(data + 14));
|
||||
info->Assign(0, new Val(prefix_len, TYPE_COUNT));
|
||||
info->Assign(1, new Val(L_flag, TYPE_BOOL));
|
||||
info->Assign(2, new Val(A_flag, TYPE_BOOL));
|
||||
info->Assign(3, new IntervalVal((double)ntohl(valid_life), Seconds));
|
||||
info->Assign(4, new IntervalVal((double)ntohl(prefer_life), Seconds));
|
||||
info->Assign(5, new AddrVal(IPAddr(prefix)));
|
||||
rv->Assign(3, info);
|
||||
}
|
||||
else
|
||||
set_payload_field = true;
|
||||
}
|
||||
break;
|
||||
|
||||
case 4:
|
||||
// Redirected Header option
|
||||
{
|
||||
if ( caplen >= length )
|
||||
{
|
||||
const u_char* hdr = data + 6;
|
||||
rv->Assign(4, ExtractICMP6Context(length - 6, hdr));
|
||||
}
|
||||
else
|
||||
set_payload_field = true;
|
||||
}
|
||||
break;
|
||||
|
||||
case 5:
|
||||
// MTU option
|
||||
{
|
||||
if ( caplen >= 6 )
|
||||
rv->Assign(5, new Val(ntohl(*((const uint32*)(data + 2))),
|
||||
TYPE_COUNT));
|
||||
else
|
||||
set_payload_field = true;
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
{
|
||||
set_payload_field = true;
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
if ( set_payload_field )
|
||||
{
|
||||
BroString* payload =
|
||||
new BroString(data, min((int)length, caplen), 0);
|
||||
rv->Assign(6, new StringVal(payload));
|
||||
}
|
||||
|
||||
data += length;
|
||||
caplen -= length;
|
||||
|
||||
vv->Assign(vv->Size(), rv, 0);
|
||||
}
|
||||
|
||||
return vv;
|
||||
}
|
||||
|
||||
int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
|
||||
{
|
||||
is_one_way = false;
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ protected:
|
|||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
|
||||
void NeighborSolicit(double t, const struct icmp* icmpp, int len,
|
||||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
|
||||
void Router(double t, const struct icmp* icmpp, int len,
|
||||
void RouterSolicit(double t, const struct icmp* icmpp, int len,
|
||||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
|
||||
|
||||
void Describe(ODesc* d) const;
|
||||
|
|
@ -75,6 +75,9 @@ protected:
|
|||
void Context6(double t, const struct icmp* icmpp, int len, int caplen,
|
||||
const u_char*& data, const IP_Hdr* ip_hdr);
|
||||
|
||||
// RFC 4861 Neighbor Discover message options
|
||||
VectorVal* BuildNDOptionsVal(int caplen, const u_char* data);
|
||||
|
||||
RecordVal* icmp_conn_val;
|
||||
int type;
|
||||
int code;
|
||||
|
|
|
|||
|
|
@ -1054,9 +1054,11 @@ event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, conte
|
|||
## icmp: Additional ICMP-specific information augmenting the standard connection
|
||||
## record *c*.
|
||||
##
|
||||
## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
|
||||
##
|
||||
## .. bro:see:: icmp_router_advertisement
|
||||
## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
|
||||
event icmp_router_solicitation%(c: connection, icmp: icmp_conn%);
|
||||
event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%);
|
||||
|
||||
## Generated for ICMP *router advertisement* messages.
|
||||
##
|
||||
|
|
@ -1090,9 +1092,11 @@ event icmp_router_solicitation%(c: connection, icmp: icmp_conn%);
|
|||
##
|
||||
## retrans_timer: How long a host should wait before retransmitting.
|
||||
##
|
||||
## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
|
||||
##
|
||||
## .. bro:see:: icmp_router_solicitation
|
||||
## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
|
||||
event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval%);
|
||||
event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%);
|
||||
|
||||
## Generated for ICMP *neighbor solicitation* messages.
|
||||
##
|
||||
|
|
@ -1107,9 +1111,11 @@ event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit:
|
|||
##
|
||||
## tgt: The IP address of the target of the solicitation.
|
||||
##
|
||||
## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
|
||||
##
|
||||
## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
|
||||
## icmp_neighbor_advertisement icmp_redirect
|
||||
event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt:addr%);
|
||||
event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%);
|
||||
|
||||
## Generated for ICMP *neighbor advertisement* messages.
|
||||
##
|
||||
|
|
@ -1131,9 +1137,11 @@ event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt:addr%);
|
|||
## tgt: the Target Address in the soliciting message or the address whose
|
||||
## link-layer address has changed for unsolicited adverts.
|
||||
##
|
||||
## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
|
||||
##
|
||||
## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
|
||||
## icmp_neighbor_solicitation icmp_redirect
|
||||
event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt:addr%);
|
||||
event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%);
|
||||
|
||||
## Generated for ICMP *redirect* messages.
|
||||
##
|
||||
|
|
@ -1151,9 +1159,11 @@ event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool,
|
|||
##
|
||||
## dest: The address of the destination which is redirected to the target.
|
||||
##
|
||||
## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
|
||||
##
|
||||
## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
|
||||
## icmp_neighbor_solicitation icmp_neighbor_advertisement
|
||||
event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr%);
|
||||
event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%);
|
||||
|
||||
## Generated when a TCP connection terminated, passing on statistics about the
|
||||
## two endpoints. This event is always generated when Bro flushes the internal
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@ icmp_echo_reply (id=1, seq=6, payload=abcdefghijklmnopqrstuvwabcdefghi)
|
|||
icmp_redirect (tgt=fe80::cafe, dest=fe80::babe)
|
||||
conn_id: [orig_h=fe80::dead, orig_p=137/icmp, resp_h=fe80::beef, resp_p=0/icmp]
|
||||
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=137, icode=0, len=32, hlim=255, v6=T]
|
||||
options: []
|
||||
icmp_router_advertisement
|
||||
cur_hop_limit=13
|
||||
managed=T
|
||||
|
|
@ -54,15 +55,19 @@ icmp_router_advertisement
|
|||
retrans_timer=1.0 sec 300.0 msecs
|
||||
conn_id: [orig_h=fe80::dead, orig_p=134/icmp, resp_h=fe80::beef, resp_p=133/icmp]
|
||||
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=134, icode=0, len=8, hlim=255, v6=T]
|
||||
options: []
|
||||
icmp_neighbor_advertisement (tgt=fe80::babe)
|
||||
router=T
|
||||
solicited=F
|
||||
override=T
|
||||
conn_id: [orig_h=fe80::dead, orig_p=136/icmp, resp_h=fe80::beef, resp_p=135/icmp]
|
||||
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=136, icode=0, len=16, hlim=255, v6=T]
|
||||
options: []
|
||||
icmp_router_solicitation
|
||||
conn_id: [orig_h=fe80::dead, orig_p=133/icmp, resp_h=fe80::beef, resp_p=134/icmp]
|
||||
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=133, icode=0, len=0, hlim=255, v6=T]
|
||||
options: []
|
||||
icmp_neighbor_solicitation (tgt=fe80::babe)
|
||||
conn_id: [orig_h=fe80::dead, orig_p=135/icmp, resp_h=fe80::beef, resp_p=136/icmp]
|
||||
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=135, icode=0, len=16, hlim=255, v6=T]
|
||||
options: []
|
||||
|
|
|
|||
28
testing/btest/Baseline/core.icmp.icmp6-nd-options/output
Normal file
28
testing/btest/Baseline/core.icmp.icmp6-nd-options/output
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
icmp_redirect options
|
||||
[otype=4, len=8, link_address=<uninitialized>, prefix=<uninitialized>, redirect=[id=[orig_h=fe80::aaaa, orig_p=30000/udp, resp_h=fe80::bbbb, resp_p=13000/udp], len=56, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F], mtu=<uninitialized>, payload=<uninitialized>]
|
||||
icmp_neighbor_advertisement options
|
||||
[otype=2, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
|
||||
MAC: c20054f50000
|
||||
icmp_router_advertisement options
|
||||
[otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
|
||||
MAC: c20054f50000
|
||||
[otype=5, len=1, link_address=<uninitialized>, prefix=<uninitialized>, redirect=<uninitialized>, mtu=1500, payload=<uninitialized>]
|
||||
[otype=3, len=4, link_address=<uninitialized>, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
|
||||
icmp_neighbor_advertisement options
|
||||
[otype=2, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
|
||||
MAC: c20054f50000
|
||||
icmp_router_advertisement options
|
||||
[otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
|
||||
MAC: c20054f50000
|
||||
[otype=5, len=1, link_address=<uninitialized>, prefix=<uninitialized>, redirect=<uninitialized>, mtu=1500, payload=<uninitialized>]
|
||||
[otype=3, len=4, link_address=<uninitialized>, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
|
||||
icmp_router_advertisement options
|
||||
[otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
|
||||
MAC: c20054f50000
|
||||
[otype=5, len=1, link_address=<uninitialized>, prefix=<uninitialized>, redirect=<uninitialized>, mtu=1500, payload=<uninitialized>]
|
||||
[otype=3, len=4, link_address=<uninitialized>, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
|
||||
icmp_router_advertisement options
|
||||
[otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
|
||||
MAC: c20054f50000
|
||||
[otype=5, len=1, link_address=<uninitialized>, prefix=<uninitialized>, redirect=<uninitialized>, mtu=1500, payload=<uninitialized>]
|
||||
[otype=3, len=4, link_address=<uninitialized>, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
|
||||
BIN
testing/btest/Traces/icmp/icmp6-nd-options.pcap
Normal file
BIN
testing/btest/Traces/icmp/icmp6-nd-options.pcap
Normal file
Binary file not shown.
BIN
testing/btest/Traces/icmp/icmp6-redirect-hdr-opt.pcap
Normal file
BIN
testing/btest/Traces/icmp/icmp6-redirect-hdr-opt.pcap
Normal file
Binary file not shown.
|
|
@ -66,11 +66,12 @@ event icmp_parameter_problem(c: connection, icmp: icmp_conn, code: count, contex
|
|||
print " icmp_context: " + fmt("%s", context);
|
||||
}
|
||||
|
||||
event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr)
|
||||
event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options)
|
||||
{
|
||||
print "icmp_redirect (tgt=" + fmt("%s", tgt) + ", dest=" + fmt("%s", dest) + ")";
|
||||
print " conn_id: " + fmt("%s", c$id);
|
||||
print " icmp_conn: " + fmt("%s", icmp);
|
||||
print " options: " + fmt("%s", options);
|
||||
}
|
||||
|
||||
event icmp_error_message(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
|
||||
|
|
@ -81,14 +82,15 @@ event icmp_error_message(c: connection, icmp: icmp_conn, code: count, context: i
|
|||
print " icmp_context: " + fmt("%s", context);
|
||||
}
|
||||
|
||||
event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr)
|
||||
event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options)
|
||||
{
|
||||
print "icmp_neighbor_solicitation (tgt=" + fmt("%s", tgt) + ")";
|
||||
print " conn_id: " + fmt("%s", c$id);
|
||||
print " icmp_conn: " + fmt("%s", icmp);
|
||||
print " options: " + fmt("%s", options);
|
||||
}
|
||||
|
||||
event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr)
|
||||
event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)
|
||||
{
|
||||
print "icmp_neighbor_advertisement (tgt=" + fmt("%s", tgt) + ")";
|
||||
print " router=" + fmt("%s", router);
|
||||
|
|
@ -96,16 +98,18 @@ event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool,
|
|||
print " override=" + fmt("%s", override);
|
||||
print " conn_id: " + fmt("%s", c$id);
|
||||
print " icmp_conn: " + fmt("%s", icmp);
|
||||
print " options: " + fmt("%s", options);
|
||||
}
|
||||
|
||||
event icmp_router_solicitation(c: connection, icmp: icmp_conn)
|
||||
event icmp_router_solicitation(c: connection, icmp: icmp_conn, options: icmp6_nd_options)
|
||||
{
|
||||
print "icmp_router_solicitation";
|
||||
print " conn_id: " + fmt("%s", c$id);
|
||||
print " icmp_conn: " + fmt("%s", icmp);
|
||||
print " options: " + fmt("%s", options);
|
||||
}
|
||||
|
||||
event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval)
|
||||
event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)
|
||||
{
|
||||
print "icmp_router_advertisement";
|
||||
print " cur_hop_limit=" + fmt("%s", cur_hop_limit);
|
||||
|
|
@ -120,4 +124,5 @@ event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: c
|
|||
print " retrans_timer=" + fmt("%s", retrans_timer);
|
||||
print " conn_id: " + fmt("%s", c$id);
|
||||
print " icmp_conn: " + fmt("%s", icmp);
|
||||
print " options: " + fmt("%s", options);
|
||||
}
|
||||
|
|
|
|||
35
testing/btest/core/icmp/icmp6-nd-options.test
Normal file
35
testing/btest/core/icmp/icmp6-nd-options.test
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
# These tests all check that ICMP6 events get raised with correct arguments.
|
||||
|
||||
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-redirect-hdr-opt.pcap %INPUT >>output 2>&1
|
||||
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-nd-options.pcap %INPUT >>output 2>&1
|
||||
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)
|
||||
{
|
||||
print "icmp_router_advertisement options";
|
||||
for ( o in options )
|
||||
{
|
||||
print fmt(" %s", options[o]);
|
||||
if ( options[o]$otype == 1 && options[o]?$link_address )
|
||||
print fmt(" MAC: %s",
|
||||
string_to_ascii_hex(options[o]$link_address));
|
||||
}
|
||||
}
|
||||
|
||||
event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)
|
||||
{
|
||||
print "icmp_neighbor_advertisement options";
|
||||
for ( o in options )
|
||||
{
|
||||
print fmt(" %s", options[o]);
|
||||
if ( options[o]$otype == 2 && options[o]?$link_address ) print fmt(" MAC: %s", string_to_ascii_hex(options[o]$link_address));
|
||||
}
|
||||
}
|
||||
|
||||
event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options)
|
||||
{
|
||||
print "icmp_redirect options";
|
||||
for ( o in options )
|
||||
print fmt(" %s", options[o]);
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue