btest/websocket: Test for coalesced reply-ping

Add a constructed PCAP where the HTTP/websocket server send a WebSocket
ping message directly with the packet of the HTTP reply. Ensure this is
interpreted the same as if the WebSocket message is in a separate packet
following the HTTP reply.

For the server side this should work, for the client side we'd need to
synchronize suspend parsing the client side as we currently cannot quite
know whether it's a pipelined HTTP request following, or upgraded protocol
data and we don't have "suspend parsing" functionality here.

testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-coalesced

@@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+websocket_handshake, CHhAvVGS1DHFjwGM9, 7
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, pong, payload_len, 4
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 4, data, Zeek
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, text, payload_len, 11
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 11, data, Hello Zeek!
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, text, payload_len, 12
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 12, data, Hello there!
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_len, 2
+websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1000, reason, 
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 2, data, \x03\xe8
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, close, payload_len, 2
+websocket_close, CHhAvVGS1DHFjwGM9, F, status, 1000, reason, 
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 2, data, \x03\xe8

testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-separate

@@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+websocket_handshake, CHhAvVGS1DHFjwGM9, 7
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, pong, payload_len, 4
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 4, data, Zeek
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, text, payload_len, 11
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 11, data, Hello Zeek!
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, text, payload_len, 12
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 12, data, Hello there!
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_len, 2
+websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1000, reason, 
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 2, data, \x03\xe8
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, close, payload_len, 2
+websocket_close, CHhAvVGS1DHFjwGM9, F, status, 1000, reason, 
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 2, data, \x03\xe8

testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/weird.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	45838	127.0.0.1	8080	protocol_data_with_HTTP_upgrade_reply	6	F	zeek	HTTP
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/scripts/base/protocols/websocket/coalesced-reply-ping.zeek

@@ -0,0 +1,33 @@
+# @TEST-DOC: The reply-ping-coalesced pcap contains a WebSocket ping message right after the HTTP reply, in the same packet.
+
+# @TEST-EXEC: zeek -b -r $TRACES/websocket/reply-ping-separate.pcap %INPUT >>out-separate
+# @TEST-EXEC: test ! -f weird.log
+#
+# @TEST-EXEC: zeek -b -r $TRACES/websocket/reply-ping-coalesced.pcap %INPUT >>out-coalesced
+# @TEST-EXEC: btest-diff out-separate
+# @TEST-EXEC: btest-diff out-coalesced
+# @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: diff out-separate out-coalesced
+# @TEST-EXEC: test ! -f analyzer.log
+
+@load base/protocols/websocket
+
+event websocket_handshake(c: connection, aid: count)
+	{
+	print "websocket_handshake", c$uid, aid;
+	}
+
+event websocket_frame(c: connection, is_orig: bool, fin: bool, rsv: count, opcode: count, payload_len: count)
+	{
+	print "websocket_frame", c$uid, is_orig, "fin", fin, "rsv", rsv, "opcode", WebSocket::opcodes[opcode], "payload_len", payload_len;
+	}
+
+event websocket_frame_data(c: connection, is_orig: bool, data: string)
+	{
+	print "websocket_frame_data", c$uid, is_orig, "len", |data|, "data", data[:120];
+	}
+
+event websocket_close(c: connection, is_orig: bool, status: count, reason: string)
+	{
+	print "websocket_close", c$uid, is_orig, "status", status, "reason", reason;
+	}