diff --git a/src/Sessions.cc b/src/Sessions.cc index 77ccd7aeb6..1e0068acec 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -353,7 +353,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, uint32 len = ip_hdr->TotalLen(); if ( hdr->len < len + hdr_size ) { - Weird("truncated_IP", hdr, pkt); + Weird("truncated_IP", hdr, pkt, encapsulation); return; } @@ -365,7 +365,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, if ( ! ignore_checksums && ip4 && ones_complement_checksum((void*) ip4, ip_hdr_len, 0) != 0xffff ) { - Weird("bad_IP_checksum", hdr, pkt); + Weird("bad_IP_checksum", hdr, pkt, encapsulation); return; } @@ -380,7 +380,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, if ( caplen < len ) { - Weird("incompletely_captured_fragment", ip_hdr); + Weird("incompletely_captured_fragment", ip_hdr, encapsulation); // Don't try to reassemble, that's doomed. // Discard all except the first fragment (which @@ -432,7 +432,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, if ( ! ignore_checksums && mobility_header_checksum(ip_hdr) != 0xffff ) { - Weird("bad_MH_checksum", hdr, pkt); + Weird("bad_MH_checksum", hdr, pkt, encapsulation); Remove(f); return; } @@ -445,7 +445,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, } if ( ip_hdr->NextProto() != IPPROTO_NONE ) - Weird("mobility_piggyback", hdr, pkt); + Weird("mobility_piggyback", hdr, pkt, encapsulation); Remove(f); return; @@ -454,7 +454,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, int proto = ip_hdr->NextProto(); - if ( CheckHeaderTrunc(proto, len, caplen, hdr, pkt) ) + if ( CheckHeaderTrunc(proto, len, caplen, hdr, pkt, encapsulation) ) { Remove(f); return; @@ -525,7 +525,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, { if ( ! BifConst::Tunnel::enable_ip ) { - reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), "IP_tunnel"); + Weird("IP_tunnel", ip_hdr, encapsulation); Remove(f); return; } @@ -533,7 +533,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, if ( encapsulation && encapsulation->Depth() >= BifConst::Tunnel::max_depth ) { - reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), "tunnel_depth"); + Weird("tunnel_depth", ip_hdr, encapsulation); Remove(f); return; } @@ -543,11 +543,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, int result = ParseIPPacket(caplen, data, proto, inner); if ( result < 0 ) - reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), - "truncated_inner_IP"); + Weird("truncated_inner_IP", ip_hdr, encapsulation); else if ( result > 0 ) - reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), - "inner_IP_payload_mismatch"); + Weird("inner_IP_payload_mismatch", ip_hdr, encapsulation); if ( result != 0 ) { @@ -599,7 +597,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, } default: - Weird(fmt("unknown_protocol_%d", proto), hdr, pkt); + Weird(fmt("unknown_protocol_%d", proto), hdr, pkt, encapsulation); Remove(f); return; } @@ -746,7 +744,8 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto, } bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen, - const struct pcap_pkthdr* h, const u_char* p) + const struct pcap_pkthdr* h, + const u_char* p, const Encapsulation* encap) { uint32 min_hdr_len = 0; switch ( proto ) { @@ -775,13 +774,13 @@ bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen, if ( len < min_hdr_len ) { - Weird("truncated_header", h, p); + Weird("truncated_header", h, p, encap); return true; } if ( caplen < min_hdr_len ) { - Weird("internally_truncated_header", h, p); + Weird("internally_truncated_header", h, p, encap); return true; } @@ -1298,18 +1297,26 @@ void NetSessions::Internal(const char* msg, const struct pcap_pkthdr* hdr, reporter->InternalError("%s", msg); } -void NetSessions::Weird(const char* name, - const struct pcap_pkthdr* hdr, const u_char* pkt) +void NetSessions::Weird(const char* name, const struct pcap_pkthdr* hdr, + const u_char* pkt, const Encapsulation* encap) { if ( hdr ) dump_this_packet = 1; - reporter->Weird(name); + if ( encap && encap->LastType() != BifEnum::Tunnel::NONE ) + reporter->Weird(fmt("%s_in_tunnel", name)); + else + reporter->Weird(name); } -void NetSessions::Weird(const char* name, const IP_Hdr* ip) +void NetSessions::Weird(const char* name, const IP_Hdr* ip, + const Encapsulation* encap) { - reporter->Weird(ip->SrcAddr(), ip->DstAddr(), name); + if ( encap && encap->LastType() != BifEnum::Tunnel::NONE ) + reporter->Weird(ip->SrcAddr(), ip->DstAddr(), + fmt("%s_in_tunnel", name)); + else + reporter->Weird(ip->SrcAddr(), ip->DstAddr(), name); } unsigned int NetSessions::ConnectionMemoryUsage() diff --git a/src/Sessions.h b/src/Sessions.h index b98fc7e432..28f331212b 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -108,9 +108,10 @@ public: void GetStats(SessionStats& s) const; - void Weird(const char* name, - const struct pcap_pkthdr* hdr, const u_char* pkt); - void Weird(const char* name, const IP_Hdr* ip); + void Weird(const char* name, const struct pcap_pkthdr* hdr, + const u_char* pkt, const Encapsulation* encap = 0); + void Weird(const char* name, const IP_Hdr* ip, + const Encapsulation* encap = 0); PacketFilter* GetPacketFilter() { @@ -231,7 +232,8 @@ protected: // from lower-level headers or the length actually captured is less // than that protocol's minimum header size. bool CheckHeaderTrunc(int proto, uint32 len, uint32 caplen, - const struct pcap_pkthdr* hdr, const u_char* pkt); + const struct pcap_pkthdr* hdr, const u_char* pkt, + const Encapsulation* encap); CompositeHash* ch; PDict(Connection) tcp_conns; diff --git a/testing/btest/Baseline/core.tunnels.false-teredo/weird.log b/testing/btest/Baseline/core.tunnels.false-teredo/weird.log index d2bafa0384..989b7beede 100644 --- a/testing/btest/Baseline/core.tunnels.false-teredo/weird.log +++ b/testing/btest/Baseline/core.tunnels.false-teredo/weird.log @@ -5,15 +5,15 @@ #path weird #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string -1258567191.405770 - - - - - truncated_header - F bro +1258567191.405770 - - - - - truncated_header_in_tunnel - F bro 1258567191.486869 UWkUyAuUGXf 192.168.1.105 57696 192.168.1.1 53 Teredo_payload_len_mismatch - F bro -1258578181.260420 - - - - - truncated_header - F bro +1258578181.260420 - - - - - truncated_header_in_tunnel - F bro 1258578181.516140 nQcgTWjvg4c 192.168.1.104 64838 192.168.1.1 53 Teredo_payload_len_mismatch - F bro -1258579063.557927 - - - - - truncated_header - F bro +1258579063.557927 - - - - - truncated_header_in_tunnel - F bro 1258579063.784919 j4u32Pc5bif 192.168.1.104 55778 192.168.1.1 53 Teredo_payload_len_mismatch - F bro -1258581768.568451 - - - - - truncated_header - F bro +1258581768.568451 - - - - - truncated_header_in_tunnel - F bro 1258581768.898165 TEfuqmmG4bh 192.168.1.104 50798 192.168.1.1 53 Teredo_payload_len_mismatch - F bro -1258584478.859853 - - - - - truncated_header - F bro +1258584478.859853 - - - - - truncated_header_in_tunnel - F bro 1258584478.989528 FrJExwHcSal 192.168.1.104 64963 192.168.1.1 53 Teredo_payload_len_mismatch - F bro -1258600683.934458 - - - - - truncated_header - F bro +1258600683.934458 - - - - - truncated_header_in_tunnel - F bro 1258600683.934672 5OKnoww6xl4 192.168.1.103 59838 192.168.1.1 53 Teredo_payload_len_mismatch - F bro