btest/websocket: Test for coalesced reply-ping

Add a constructed PCAP where the HTTP/websocket server send a WebSocket
ping message directly with the packet of the HTTP reply. Ensure this is
interpreted the same as if the WebSocket message is in a separate packet
following the HTTP reply.

For the server side this should work, for the client side we'd need to
synchronize suspend parsing the client side as we currently cannot quite
know whether it's a pipelined HTTP request following, or upgraded protocol
data and we don't have "suspend parsing" functionality here.

testing/btest/scripts/base/protocols/websocket/coalesced-reply-ping.zeek

@@ -0,0 +1,33 @@
+# @TEST-DOC: The reply-ping-coalesced pcap contains a WebSocket ping message right after the HTTP reply, in the same packet.
+
+# @TEST-EXEC: zeek -b -r $TRACES/websocket/reply-ping-separate.pcap %INPUT >>out-separate
+# @TEST-EXEC: test ! -f weird.log
+#
+# @TEST-EXEC: zeek -b -r $TRACES/websocket/reply-ping-coalesced.pcap %INPUT >>out-coalesced
+# @TEST-EXEC: btest-diff out-separate
+# @TEST-EXEC: btest-diff out-coalesced
+# @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: diff out-separate out-coalesced
+# @TEST-EXEC: test ! -f analyzer.log
+
+@load base/protocols/websocket
+
+event websocket_handshake(c: connection, aid: count)
+	{
+	print "websocket_handshake", c$uid, aid;
+	}
+
+event websocket_frame(c: connection, is_orig: bool, fin: bool, rsv: count, opcode: count, payload_len: count)
+	{
+	print "websocket_frame", c$uid, is_orig, "fin", fin, "rsv", rsv, "opcode", WebSocket::opcodes[opcode], "payload_len", payload_len;
+	}
+
+event websocket_frame_data(c: connection, is_orig: bool, data: string)
+	{
+	print "websocket_frame_data", c$uid, is_orig, "len", |data|, "data", data[:120];
+	}
+
+event websocket_close(c: connection, is_orig: bool, status: count, reason: string)
+	{
+	print "websocket_close", c$uid, is_orig, "status", status, "reason", reason;
+	}