Merge remote-tracking branch 'origin/topic/timw/2132-bpf-filtering-error-messages'

* origin/topic/timw/2132-bpf-filtering-error-messages:
  Remove cmake tests for LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER
  Rework the non-pcap version of BPF_Program::Compile
  Add btest that exercises the pcap filter warnings
  Update docs submodule
  Restore reporting messages for pcap filter issues
  Add column to packet_filter.log for failure reason
  Store error message from BPF compilation
  Minor cleanup in BPF filtering code

CHANGES

@@ -1,3 +1,19 @@
+5.2.0-dev.129 | 2022-10-21 12:24:25 -0700
+
+  * Remove cmake tests for LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER (Tim Wojtulewicz, Corelight)
+
+  * Rework the non-pcap version of BPF_Program::Compile (Tim Wojtulewicz, Corelight)
+
+  * Add btest that exercises the pcap filter warnings (Tim Wojtulewicz, Corelight)
+
+  * Restore reporting messages for pcap filter issues (Tim Wojtulewicz, Corelight)
+
+  * Add column to packet_filter.log for failure reason (Tim Wojtulewicz, Corelight)
+
+  * Store error message from BPF compilation (Tim Wojtulewicz, Corelight)
+
+  * Minor cleanup in BPF filtering code (Tim Wojtulewicz, Corelight)
+
 5.2.0-dev.120 | 2022-10-21 10:09:11 -0700
 
   * Reorder includes in Options.cc (Tim Wojtulewicz, Corelight)

VERSION

@@ -1 +1 @@
-5.2.0-dev.120
+5.2.0-dev.129

cmake

@@ -1 +1 @@
-Subproject commit e896b86b015b94c991c340b09b2d157c76b8de3c
+Subproject commit 64e9d66969364091b14e772aab342252d8ef1da9

doc

@@ -1 +1 @@
-Subproject commit 654da377039b3ef16320988ce3af0946a46c632f
+Subproject commit c751af2a2792e63d56cc9aaed1f514a8fa5e6f17

scripts/base/frameworks/packet-filter/main.zeek

@@ -48,6 +48,9 @@ export {
 
 		## Indicate if the filter was applied successfully.
 		success: bool  &log &default=T;
+
+		## A string reason why the filter failed to be created/installed.
+		failure_reason: string &log &optional;
 	};
 
 	## The BPF filter that is used by default to define what traffic should
@@ -276,22 +279,33 @@ function install(): bool
 		return F;
 
 	local ts = current_time();
+
 	if ( ! Pcap::precompile_pcap_filter(DefaultPcapFilter, tmp_filter) )
 		{
-		NOTICE([$note=Compile_Failure,
+		local state = Pcap::get_filter_state(DefaultPcapFilter);
-		        $msg=fmt("Compiling packet filter failed"),
+		local error_string : string;
-		        $sub=tmp_filter]);
+		if ( state == Pcap::fatal )
+			{
+			NOTICE([$note=Compile_Failure,
+			        $msg=fmt("Compiling packet filter failed"),
+			        $sub=tmp_filter]);
 
-		local error_string = fmt("Bad pcap filter '%s'", tmp_filter);
+			error_string = fmt("Bad pcap filter '%s': %s", tmp_filter,
+			                   Pcap::get_filter_state_string(DefaultPcapFilter));
 
-		local pkt_src_error : string = Pcap::error();
+			if ( network_time() == 0.0 )
-		if ( pkt_src_error != "no error" )
+				Reporter::fatal(error_string);
-			error_string = pkt_src_error;
+			else
+				Reporter::warning(error_string);
+			}
+		else if ( state == Pcap::warning )
+			{
+			error_string = fmt("Warning while compiling pcap filter '%s': %s",
+			                   tmp_filter,
+			                   Pcap::get_filter_state_string(DefaultPcapFilter));
 
-		if ( network_time() == 0.0 )
-			Reporter::fatal(error_string);
-		else
 			Reporter::warning(error_string);
+			}
 		}
 	local diff = current_time()-ts;
 	if ( diff > max_filter_compile_time )
@@ -317,6 +331,8 @@ function install(): bool
 		{
 		# Installing the filter failed for some reason.
 		info$success = F;
+		info$failure_reason = Pcap::get_filter_state_string(DefaultPcapFilter);
+
 		NOTICE([$note=Install_Failure,
 		        $msg=fmt("Installing packet filter failed"),
 		        $sub=current_filter]);

scripts/base/init-bare.zeek

@@ -5146,6 +5146,13 @@ export {
 	};
 
 	type Interfaces: set[Pcap::Interface];
+
+	## The state of the compilation for a pcap filter.
+	type filter_state: enum {
+		ok,     # no issues encountered
+		fatal,  # fatal issue, something that would prevent zeek from continuing
+		warning # non-fatal issue that should just be logged
+	};
 } # end export
 
 module DCE_RPC;

src/iosource/BPF_Program.cc

@@ -71,15 +71,14 @@ static bool filter_matches_anything(const char* filter)
 	return (! filter) || strlen(filter) == 0 || strcmp(filter, "ip or not ip") == 0;
 	}
 
-BPF_Program::BPF_Program() : m_compiled(), m_matches_anything(false), m_program() { }
+BPF_Program::BPF_Program() : m_program() { }
 
 BPF_Program::~BPF_Program()
 	{
 	FreeCode();
 	}
 
-bool BPF_Program::Compile(pcap_t* pcap, const char* filter, uint32_t netmask, std::string& errbuf,
+bool BPF_Program::Compile(pcap_t* pcap, const char* filter, uint32_t netmask, bool optimize)
-                          bool optimize)
 	{
 	if ( ! pcap )
 		return false;
@@ -88,7 +87,8 @@ bool BPF_Program::Compile(pcap_t* pcap, const char* filter, uint32_t netmask, st
 
 	if ( pcap_compile(pcap, &m_program, (char*)filter, optimize, netmask) < 0 )
 		{
-		errbuf = util::fmt("pcap_compile(%s): %s", filter, pcap_geterr(pcap));
+		state_message = std::string(pcap_geterr(pcap));
+		state = GetStateFromMessage(state_message);
 		return false;
 		}
 
@@ -98,8 +98,8 @@ bool BPF_Program::Compile(pcap_t* pcap, const char* filter, uint32_t netmask, st
 	return true;
 	}
 
-bool BPF_Program::Compile(int snaplen, int linktype, const char* filter, uint32_t netmask,
+bool BPF_Program::Compile(zeek_uint_t snaplen, int linktype, const char* filter, uint32_t netmask,
-                          std::string& errbuf, bool optimize)
+                          bool optimize)
 	{
 	FreeCode();
 
@@ -114,27 +114,18 @@ bool BPF_Program::Compile(int snaplen, int linktype, const char* filter, uint32_
 		return true;
 		}
 
-#ifdef LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER
+	pcap_t* pcap = pcap_open_dead(linktype, snaplen);
-	char my_error[PCAP_ERRBUF_SIZE];
+	if ( ! pcap )
-
-	int err = pcap_compile_nopcap(snaplen, linktype, &m_program, (char*)filter, optimize, netmask,
-	                              my_error);
-	if ( err < 0 )
-		errbuf = std::string(my_error);
-#else
-	int err = pcap_compile_nopcap(snaplen, linktype, &m_program, (char*)filter, optimize, netmask);
-
-	if ( err < 0 )
-		errbuf.clear();
-#endif
-
-	if ( err == 0 )
 		{
-		m_compiled = true;
+		state = FilterState::FATAL;
-		m_matches_anything = filter_matches_anything(filter);
+		state_message = "Failed to open pcap based on linktype/snaplen";
+		return false;
 		}
 
-	return err == 0;
+	bool status = Compile(pcap, filter, netmask, optimize);
+	pcap_close(pcap);
+
+	return status;
 	}
 
 bpf_program* BPF_Program::GetProgram()
@@ -155,4 +146,12 @@ void BPF_Program::FreeCode()
 		}
 	}
 
+FilterState BPF_Program::GetStateFromMessage(const std::string& err)
+	{
+	if ( err.find("filtering not implemented") != std::string::npos )
+		return FilterState::WARNING;
+
+	return FilterState::FATAL;
+	}
+
 	} // namespace zeek::iosource::detail

src/iosource/BPF_Program.h

@@ -5,12 +5,24 @@
 #include <cstdint>
 #include <string>
 
+#include "zeek/util.h"
+
 extern "C"
 	{
 #include <pcap.h>
 	}
 
-namespace zeek::iosource::detail
+namespace zeek::iosource
+	{
+
+enum class FilterState : uint8_t
+	{
+	OK,
+	FATAL, // results in Reporter::Error
+	WARNING // results in Reporter::Warning
+	};
+
+namespace detail
 	{
 
 // BPF_Programs are an abstraction around struct bpf_program,
@@ -20,42 +32,69 @@ namespace zeek::iosource::detail
 class BPF_Program
 	{
 public:
-	// Creates an empty, uncompiled BPF program.
+	/**
+	 * Creates an empty, uncompiled BPF program.
+	 */
 	BPF_Program();
 	~BPF_Program();
 
-	// Creates a BPF program for the given pcap handle.
+	/**
-	// Parameters are like in pcap_compile(). Returns true
+	 * Creates a BPF program for a given pcap handle. The parameters match the usage
-	// for successful compilation, false otherwise.
+	 * described in the documentation for pcap_compile().
-	bool Compile(pcap_t* pcap, const char* filter, uint32_t netmask, std::string& errbuf,
+	 *
+	 * @return true on successful compilation, false otherwise.
+	 */
+	bool Compile(pcap_t* pcap, const char* filter, uint32_t netmask, bool optimize = true);
+
+	/**
+	 * Creates a BPF program when no pcap handle is available. The parameters match the usage
+	 * described in the documentation for pcap_compile_nopcap().
+	 *
+	 * @return true on successful compilation, false otherwise.
+	 */
+	bool Compile(zeek_uint_t snaplen, int linktype, const char* filter, uint32_t netmask,
 	             bool optimize = true);
 
-	// Creates a BPF program when no pcap handle is around,
+	/**
-	// similarly to pcap_compile_nopcap(). Parameters are
+	 * Returns true if this program currently contains compiled code, false otherwise.
-	// similar. Returns true on success.
+	 */
-	bool Compile(int snaplen, int linktype, const char* filter, uint32_t netmask,
-	             std::string& errbuf, bool optimize = true);
-
-	// Returns true if this program currently contains compiled
-	// code, false otherwise.
 	bool IsCompiled() { return m_compiled; }
 
-	// Returns true if this program matches any packets. This is not
+	/**
-	// comprehensive, but can identify a few cases where it does.
+	 * Returns true if this program matches any packets. This is not comprehensive, but can
+	 * identify a few cases where it does.
+	 */
 	bool MatchesAnything() { return m_matches_anything; }
 
-	// Accessor to the compiled program. Returns nil when
+	/**
-	// no program is currently compiled.
+	 * Returns the compiled program, or nullptr if no program is currently compiled.
+	 */
 	bpf_program* GetProgram();
 
+	/**
+	 * Returns the state of the compilation process.
+	 */
+	FilterState GetState() const { return state; }
+
+	/**
+	 * Returns an error message, if any, that was returned from the compliation process.
+	 */
+	std::string GetStateMessage() const { return state_message; }
+
 protected:
 	void FreeCode();
 
+	FilterState GetStateFromMessage(const std::string& err);
+
 	// (I like to prefix member variables with m_, makes it clear
 	// in the implementation whether it's a global or not. --ck)
-	bool m_compiled;
+	bool m_compiled = false;
-	bool m_matches_anything;
+	bool m_matches_anything = false;
 	struct bpf_program m_program;
+
+	FilterState state = FilterState::OK;
+	std::string state_message;
 	};
 
-	} // namespace zeek::iosource::detail
+	} // namespace detail
+	} // namespace zeek::iosource

src/iosource/PktSrc.cc

@@ -203,18 +203,17 @@ bool PktSrc::ExtractNextPacketInternal()
 
 detail::BPF_Program* PktSrc::CompileFilter(const std::string& filter)
 	{
-	std::string errbuf;
 	auto code = std::make_unique<detail::BPF_Program>();
 
-	if ( ! code->Compile(BifConst::Pcap::snaplen, LinkType(), filter.c_str(), Netmask(), errbuf) )
+	if ( ! code->Compile(BifConst::Pcap::snaplen, LinkType(), filter.c_str(), Netmask()) )
 		{
 		std::string msg = util::fmt("cannot compile BPF filter \"%s\"", filter.c_str());
 
-		if ( ! errbuf.empty() )
+		std::string state_msg = code->GetStateMessage();
-			msg += ": " + errbuf;
+		if ( ! state_msg.empty() )
+			msg += ": " + state_msg;
 
 		Error(msg);
-		return nullptr;
 		}
 
 	return code.release();
@@ -225,10 +224,9 @@ bool PktSrc::PrecompileBPFFilter(int index, const std::string& filter)
 	if ( index < 0 )
 		return false;
 
-	// Compile filter.
+	// Compile filter. This will always return a pointer, but may have stored an error
+	// internally.
 	auto code = CompileFilter(filter);
-	if ( ! code )
-		return false;
 
 	// Store it in vector.
 	if ( index >= static_cast<int>(filters.size()) )
@@ -239,7 +237,7 @@ bool PktSrc::PrecompileBPFFilter(int index, const std::string& filter)
 
 	filters[index] = code;
 
-	return true;
+	return code->GetState() != FilterState::FATAL;
 	}
 
 detail::BPF_Program* PktSrc::GetBPFFilter(int index)

src/iosource/PktSrc.h

@@ -5,6 +5,7 @@
 #include <sys/types.h> // for u_char
 #include <vector>
 
+#include "zeek/iosource/BPF_Program.h"
 #include "zeek/iosource/IOSource.h"
 #include "zeek/iosource/Packet.h"
 
@@ -13,18 +14,13 @@ struct pcap_pkthdr;
 namespace zeek::iosource
 	{
 
-namespace detail
-	{
-class BPF_Program;
-	}
-
 /**
  * Base class for packet sources.
  */
 class PktSrc : public IOSource
 	{
 public:
-	static const int NETMASK_UNKNOWN = 0xffffffff;
+	static const uint32_t NETMASK_UNKNOWN = 0xffffffff;
 
 	/**
 	 * Struct for returning statistics on a packet source.
@@ -102,7 +98,7 @@ public:
 	 * Precompiles a BPF filter and associates the given index with it.
 	 * The compiled filter will be then available via \a GetBPFFilter().
 	 *
-	 * This is primarily a helper for packet source implementation that
+	 * This is primarily a helper for packet source implementations that
 	 * want to apply BPF filtering to their packets.
 	 *
 	 * @param index The index to associate with the filter.
@@ -139,7 +135,8 @@ public:
 	 *
 	 * @param pkt The content of the packet to filter.
 	 *
-	 * @return True if it maches. 	 */
+	 * @return True if it matches.
+	 */
 	bool ApplyBPFFilter(int index, const struct pcap_pkthdr* hdr, const u_char* pkt);
 
 	/**
@@ -158,9 +155,9 @@ public:
 	 * Precompiles a filter and associates a given index with it. The
 	 * filter syntax is defined by the packet source's implenentation.
 	 *
-	 * Derived classes must implement this to implement their filtering.
+	 * Derived classes can override this method to implement their own
-	 * If they want to use BPF but don't support it natively, they can
+	 * filtering. If not overriden, it uses the pcap-based BPF filtering
-	 * call the corresponding helper method provided by \a PktSrc.
+	 * by default.
 	 *
 	 * @param index The index to associate with the filter
 	 *
@@ -169,7 +166,10 @@ public:
 	 * @return True on success, false if a problem occurred or filtering
 	 * is not supported.
 	 */
-	virtual bool PrecompileFilter(int index, const std::string& filter) = 0;
+	virtual bool PrecompileFilter(int index, const std::string& filter)
+		{
+		return PrecompileBPFFilter(index, filter);
+		}
 
 	/**
 	 * Activates a precompiled filter with the given index.
@@ -336,6 +336,16 @@ protected:
 	 */
 	virtual void DoneWithPacket() = 0;
 
+	/**
+	 * Performs the actual filter compilation. This can be overridden to
+	 * provide a different implementation of the compiilation called by
+	 * PrecompileBPFFilter(). This is primarily used by the pcap source
+	 * use a different version of BPF_Filter::Compile;
+	 *
+	 * @param filter the filtering string being compiled.
+	 *
+	 * @return The compiled filter or nullptr if compilation failed.
+	 */
 	virtual detail::BPF_Program* CompileFilter(const std::string& filter);
 
 private:

src/iosource/pcap/Source.cc

@@ -263,25 +263,19 @@ void PcapSource::DoneWithPacket()
 	// Nothing to do.
 	}
 
-bool PcapSource::PrecompileFilter(int index, const std::string& filter)
-	{
-	return PktSrc::PrecompileBPFFilter(index, filter);
-	}
-
 detail::BPF_Program* PcapSource::CompileFilter(const std::string& filter)
 	{
-	std::string errbuf;
 	auto code = std::make_unique<detail::BPF_Program>();
 
-	if ( ! code->Compile(pd, filter.c_str(), Netmask(), errbuf) )
+	if ( ! code->Compile(pd, filter.c_str(), Netmask()) )
 		{
 		std::string msg = util::fmt("cannot compile BPF filter \"%s\"", filter.c_str());
 
-		if ( ! errbuf.empty() )
+		std::string state_msg = code->GetStateMessage();
-			msg += ": " + errbuf;
+		if ( ! state_msg.empty() )
+			msg += ": " + state_msg;
 
 		Error(msg);
-		return nullptr;
 		}
 
 	return code.release();
@@ -310,14 +304,16 @@ bool PcapSource::SetFilter(int index)
 		// since the default scripts will always attempt to compile
 		// and install a default filter
 		}
-	else
+	else if ( auto program = code->GetProgram() )
 		{
-		if ( pcap_setfilter(pd, code->GetProgram()) < 0 )
+		if ( pcap_setfilter(pd, program) < 0 )
 			{
 			PcapError();
 			return false;
 			}
 		}
+	else if ( code->GetState() != FilterState::OK )
+		return false;
 
 #ifndef HAVE_LINUX
 	// Linux doesn't clear counters when resetting filter.

src/iosource/pcap/Source.h

@@ -28,9 +28,9 @@ protected:
 	void Close() override;
 	bool ExtractNextPacket(Packet* pkt) override;
 	void DoneWithPacket() override;
-	bool PrecompileFilter(int index, const std::string& filter) override;
 	bool SetFilter(int index) override;
 	void Statistics(Stats* stats) override;
+
 	detail::BPF_Program* CompileFilter(const std::string& filter) override;
 
 private:

src/iosource/pcap/pcap.bif

@@ -1,13 +1,13 @@
 
 module Pcap;
 
-
 const snaplen: count;
 const bufsize: count;
 
 %%{
 #include <pcap.h>
 
+#include "zeek/iosource/BPF_Program.h"
 #include "zeek/iosource/Manager.h"
 %%}
 
@@ -44,8 +44,13 @@ function precompile_pcap_filter%(id: PcapFilterID, s: string%): bool
 	bool success = true;
 
 	zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc();
-	if ( ps && ! ps->PrecompileFilter(id->AsInt(), s->CheckString()) )
+	if ( ps )
-		success = false;
+		{
+		bool compiled = ps->PrecompileFilter(id->AsInt(), s->CheckString());
+		auto filter = ps->GetBPFFilter(id->AsInt());
+		if ( ! compiled || ( filter && filter->GetState() != zeek::iosource::FilterState::OK ) )
+			success = false;
+		}
 
 	return zeek::val_mgr->Bool(success);
 	%}
@@ -99,13 +104,59 @@ function error%(%): string
 	if ( ps )
 		{
 		const char* err = ps->ErrorMsg();
-		if ( *err )
+		if ( err && *err )
 			return zeek::make_intrusive<zeek::StringVal>(err);
 		}
 
 	return zeek::make_intrusive<zeek::StringVal>("no error");
 	%}
 
+## Returns the initialization state of a PCAP filter, or OK if the either
+## there's no active packet source or the pcap filter ID does not exist.
+##
+## id: The PCAP filter id of a precompiled filter.
+##
+## Returns: A state value denoting whether any warnings or errors were
+##          encountered while initializing the filter.
+##
+## .. zeek:see:: Pcap::precompile_pcap_filter
+##               Pcap::install_pcap_filter
+function get_filter_state%(id: PcapFilterID%): filter_state
+	%{
+	EnumTypePtr filter_state = zeek::id::find_type<EnumType>("Pcap::filter_state");
+	zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc();
+	if ( ps )
+		{
+		if ( auto filter = ps->GetBPFFilter(id->AsInt()) )
+			return filter_state->GetEnumVal(static_cast<zeek_int_t>(filter->GetState()));
+		}
+
+	return filter_state->GetEnumVal(static_cast<zeek_int_t>(iosource::FilterState::OK));
+	%}
+
+## Returns a string containing any error messages that were reported by
+## filter initialization.
+##
+## id: The PCAP filter id of a precompiled filter.
+##
+## Returns: Warning/error strings from the initialization process, a blank
+##          string if none were encountered, or '<unknown>' if either there
+##          is no active packet source or the filter ID doesn't exist.
+##
+## .. zeek:see:: Pcap::precompile_pcap_filter
+##               Pcap::install_pcap_filter
+function get_filter_state_string%(id: PcapFilterID%): string
+	%{
+	zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc();
+	if ( ps )
+		{
+		if ( auto filter = ps->GetBPFFilter(id->AsInt()) )
+			return zeek::make_intrusive<zeek::StringVal>(filter->GetStateMessage());
+		}
+
+	return zeek::make_intrusive<zeek::StringVal>("<unknown>");
+	%}
+
 function findalldevs%(%): Pcap::Interfaces
 	%{
 	pcap_if_t* alldevs;

testing/btest/Baseline/core.pcap.filter-warning/notice.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
+0.000000	-	-	-	-	-	-	-	-	-	PacketFilter::Install_Failure	Installing packet filter failed	ip or not ip	-	-	-	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.pcap.filter-warning/output

@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+warning in <...>/main.zeek, line 307: Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented

testing/btest/Baseline/core.pcap.filter-warning/packet_filter.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	packet_filter
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	node	filter	init	success	failure_reason
+#types	time	string	string	bool	bool	string
+XXXXXXXXXX.XXXXXX	zeek	ip or not ip	T	F	IEEE 802.15.4 link-layer type filtering not implemented
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.pcap.filter-warning/reporter.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	reporter
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	level	message	location
+#types	time	enum	string	string
+XXXXXXXXXX.XXXXXX	Reporter::WARNING	Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented	<...>/main.zeek, line 307
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.pcap.read-trace-with-filter/packet_filter.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	packet_filter
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	node	filter	init	success
+#fields	ts	node	filter	init	success	failure_reason
-#types	time	string	string	bool	bool
+#types	time	string	string	bool	bool	string
-XXXXXXXXXX.XXXXXX	zeek	port 50000	T	T
+XXXXXXXXXX.XXXXXX	zeek	port 50000	T	T	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.print-bpf-filters/output

@@ -5,9 +5,9 @@
 #unset_field	-
 #path	packet_filter
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	node	filter	init	success
+#fields	ts	node	filter	init	success	failure_reason
-#types	time	string	string	bool	bool
+#types	time	string	string	bool	bool	string
-XXXXXXXXXX.XXXXXX	zeek	ip or not ip	T	T
+XXXXXXXXXX.XXXXXX	zeek	ip or not ip	T	T	-
 #close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
@@ -15,9 +15,9 @@ XXXXXXXXXX.XXXXXX	zeek	ip or not ip	T	T
 #unset_field	-
 #path	packet_filter
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	node	filter	init	success
+#fields	ts	node	filter	init	success	failure_reason
-#types	time	string	string	bool	bool
+#types	time	string	string	bool	bool	string
-XXXXXXXXXX.XXXXXX	zeek	port 42	T	T
+XXXXXXXXXX.XXXXXX	zeek	port 42	T	T	-
 #close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
@@ -25,7 +25,7 @@ XXXXXXXXXX.XXXXXX	zeek	port 42	T	T
 #unset_field	-
 #path	packet_filter
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	node	filter	init	success
+#fields	ts	node	filter	init	success	failure_reason
-#types	time	string	string	bool	bool
+#types	time	string	string	bool	bool	string
-XXXXXXXXXX.XXXXXX	zeek	(vlan) and (ip or not ip)	T	T
+XXXXXXXXXX.XXXXXX	zeek	(vlan) and (ip or not ip)	T	T	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/plugins.hooks/output

@@ -282,7 +282,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -469,8 +469,8 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::get_filter, <frame>, (SSL::LOG, default)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>], PacketFilter::LOG)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -668,7 +668,7 @@
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::install, <frame>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketFilter::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketFilter::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>], PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Pcap::install_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Pcap::precompile_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter, ip or not ip)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Site::update_local_nets_table, <frame>, (Site::local_nets, {})) -> <no result>
@@ -1509,8 +1509,8 @@
 0.000000   MetaHookPost  LoadFileExtended(1, ./programming, <...>/programming.sig) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(1, ./video, <...>/video.sig) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(1, s2, ./s2.sig) -> (-1, <no content>)
-0.000000   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> <void>
+0.000000   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 6, {ts (time), node (string), filter (string), init (bool), success (bool), failure_reason (string)}) -> <void>
-0.000000   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>) -> true
+0.000000   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 6, {ts (time), node (string), filter (string), init (bool), success (bool), failure_reason (string)}, <void ptr>) -> true
 0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 0.000000   MetaHookPost  QueueEvent(zeek_init()) -> false
@@ -1797,7 +1797,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1984,8 +1984,8 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::get_filter, <frame>, (SSL::LOG, default))
-0.000000   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG))
+0.000000   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>], PacketFilter::LOG))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -2183,7 +2183,7 @@
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
 0.000000   MetaHookPre   CallFunction(PacketFilter::install, <frame>, ())
-0.000000   MetaHookPre   CallFunction(PacketFilter::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(PacketFilter::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>], PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Pcap::install_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter))
 0.000000   MetaHookPre   CallFunction(Pcap::precompile_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter, ip or not ip))
 0.000000   MetaHookPre   CallFunction(Site::update_local_nets_table, <frame>, (Site::local_nets, {}))
@@ -3024,8 +3024,8 @@
 0.000000   MetaHookPre   LoadFileExtended(1, ./programming, <...>/programming.sig)
 0.000000   MetaHookPre   LoadFileExtended(1, ./video, <...>/video.sig)
 0.000000   MetaHookPre   LoadFileExtended(1, s2, ./s2.sig)
-0.000000   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)})
+0.000000   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 6, {ts (time), node (string), filter (string), init (bool), success (bool), failure_reason (string)})
-0.000000   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>)
+0.000000   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 6, {ts (time), node (string), filter (string), init (bool), success (bool), failure_reason (string)}, <void ptr>)
 0.000000   MetaHookPre   QueueEvent(NetControl::init())
 0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
 0.000000   MetaHookPre   QueueEvent(zeek_init())
@@ -3311,7 +3311,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -3498,8 +3498,8 @@
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])
 0.000000 | HookCallFunction Log::get_filter(SSL::LOG, default)
-0.000000 | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG)
+0.000000 | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>], PacketFilter::LOG)
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -3697,7 +3697,7 @@
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
 0.000000 | HookCallFunction PacketFilter::install()
-0.000000 | HookCallFunction PacketFilter::log_policy([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
+0.000000 | HookCallFunction PacketFilter::log_policy([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>], PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Pcap::install_pcap_filter(PacketFilter::DefaultPcapFilter)
 0.000000 | HookCallFunction Pcap::precompile_pcap_filter(PacketFilter::DefaultPcapFilter, ip or not ip)
 0.000000 | HookCallFunction Site::update_local_nets_table(Site::local_nets, {})
@@ -4538,8 +4538,8 @@
 0.000000 | HookLoadFileExtended builtin-plugins/__preload__.zeek <...>/__preload__.zeek
 0.000000 | HookLoadFileExtended s1.sig ./s1.sig
 0.000000 | HookLoadFileExtended s2 ./s2.sig
-0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
+0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool), failure_reason (string)}
-0.000000 | HookLogWrite  packet_filter [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent filter_change_tracking()
 0.000000 | HookQueueEvent zeek_init()

testing/btest/Baseline/plugins.writer/output

@@ -18,6 +18,6 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0.0)
 [http] XXXXXXXXXX.XXXXXX|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] XXXXXXXXXX.XXXXXX|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] XXXXXXXXXX.XXXXXX|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
-[packet_filter] XXXXXXXXXX.XXXXXX|zeek|ip or not ip|T|T
+[packet_filter] XXXXXXXXXX.XXXXXX|zeek|ip or not ip|T|T|-
 [socks] XXXXXXXXXX.XXXXXX|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|-|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688
 [tunnel] XXXXXXXXXX.XXXXXX|-|10.0.0.55|0|60.190.189.214|8124|Tunnel::SOCKS|Tunnel::DISCOVER

testing/btest/core/pcap/filter-warning.zeek

@@ -0,0 +1,9 @@
+# Don't run for C++ scripts, since first invocation doesn't use the input
+# and hence leads to complaints that there are no scripts.
+# @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
+#
+# @TEST-EXEC: zeek -r $TRACES/ieee80211.15.4.pcap >output 2>&1
+# @TEST-EXEC: btest-diff notice.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='$SCRIPTS/diff-canonifier | $SCRIPTS/diff-remove-abspath' btest-diff reporter.log
+# @TEST-EXEC: btest-diff packet_filter.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output

testing/external/commit-hash.zeek-testing

@@ -1 +1 @@
-bf98a971e76b8b2e88bebe8ae386b3473f4f3848
+ab85877815c27e33796e20ac1868e55a6dc6d605

testing/external/commit-hash.zeek-testing-private

@@ -1 +1 @@
-e51c49eca62db430af35a1d8548c3ae8e421f0cf
+3e7c07e9bf3b1116fa809b7fd2f116141bc4a36a

zeek-config.h.in

@@ -75,10 +75,6 @@
 /* Define if you have the <sys/ethernet.h> header file. */
 #cmakedefine HAVE_SYS_ETHERNET_H
 
-/* Some libpcap versions use an extra parameter (error) in pcap_compile_nopcap
-   */
-#cmakedefine LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER
-
 /* Include krb5.h */
 #cmakedefine NEED_KRB5_H