From 0944747babd1b434bf1aa463c5d8a009a79c8b3a Mon Sep 17 00:00:00 2001
From: Pierre LALET <pierre.lalet@cea.fr>
Date: Tue, 15 May 2018 18:15:17 +0200
Subject: [PATCH 1/2] Add tests for ARP in 802.11 (w & w/o RadioTAP)

---
 .../scripts.base.protocols.arp.radiotap/.stdout   |   2 ++
 .../scripts.base.protocols.arp.wlanmon/.stdout    |   2 ++
 testing/btest/Traces/arp-who-has-radiotap.pcap    | Bin 0 -> 294 bytes
 testing/btest/Traces/arp-who-has-wlanmon.pcap     | Bin 0 -> 198 bytes
 .../scripts/base/protocols/arp/radiotap.test      |  13 +++++++++++++
 .../btest/scripts/base/protocols/arp/wlanmon.test |  13 +++++++++++++
 6 files changed, 30 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout
 create mode 100644 testing/btest/Traces/arp-who-has-radiotap.pcap
 create mode 100644 testing/btest/Traces/arp-who-has-wlanmon.pcap
 create mode 100644 testing/btest/scripts/base/protocols/arp/radiotap.test
 create mode 100644 testing/btest/scripts/base/protocols/arp/wlanmon.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout b/testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout
new file mode 100644
index 0000000000..d45f9ba0d7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout
@@ -0,0 +1,2 @@
+78:31:c1:c6:3f:c2, ff:ff:ff:ff:ff:ff, 10.0.0.2, 78:31:c1:c6:3f:c2, 10.0.0.1, 00:00:00:00:00:00
+f8:ed:a5:c0:a4:f1, 78:31:c1:c6:3f:c2, 10.0.0.1, f8:ed:a5:c0:a4:f1, 10.0.0.2, 78:31:c1:c6:3f:c2
diff --git a/testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout b/testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout
new file mode 100644
index 0000000000..d45f9ba0d7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout
@@ -0,0 +1,2 @@
+78:31:c1:c6:3f:c2, ff:ff:ff:ff:ff:ff, 10.0.0.2, 78:31:c1:c6:3f:c2, 10.0.0.1, 00:00:00:00:00:00
+f8:ed:a5:c0:a4:f1, 78:31:c1:c6:3f:c2, 10.0.0.1, f8:ed:a5:c0:a4:f1, 10.0.0.2, 78:31:c1:c6:3f:c2
diff --git a/testing/btest/Traces/arp-who-has-radiotap.pcap b/testing/btest/Traces/arp-who-has-radiotap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..4f532109190bef9d3d485dc6cf392d9dc46bd47f
GIT binary patch
literal 294
zcmca|c+)~A1{MYw`2U}Qp&rOtt#di_#33$*JRo~2SkizYn?r`-VPaSqh%3ObMAU(C
z+hRsPlj#nOj6hzFk~||j10z^1149R+4nvoy$n2;G6@~|o*&q531_BIh469Z#1J!V_
zF)(s4u(2>OLgcv^7?>bhfh<Ol?RBZ#3=Ke`Pheq)?My7;NVXrvupQ(N5bj_yV1Sql
hal?<dOAjph=m3;Kvz-Yd1F{p{9YDokAkUp}4gmYkM7{t3

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/arp-who-has-wlanmon.pcap b/testing/btest/Traces/arp-who-has-wlanmon.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7d54788f2a3af477fc4a9d204da2c387d61a8ca7
GIT binary patch
literal 198
zcmca|c+)~A1{MYw`2U}QArr`17V$eOVlo4R9gq#e9gI2*U7{khqaIWk9z14$=sy?;
zFt9PKTEz^M=U`)C<X~W9VPJ&Fb1^V50fm78$YKPU7CD`PAppn+;SMGP28cR{nLpkx
cJ+S1X15gIdG$x1)$P9FIfr`OEo;%?j0B%w=zW@LL

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/arp/radiotap.test b/testing/btest/scripts/base/protocols/arp/radiotap.test
new file mode 100644
index 0000000000..95ce471532
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/arp/radiotap.test
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/arp-who-has-radiotap.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
diff --git a/testing/btest/scripts/base/protocols/arp/wlanmon.test b/testing/btest/scripts/base/protocols/arp/wlanmon.test
new file mode 100644
index 0000000000..7f909eac4f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/arp/wlanmon.test
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/arp-who-has-wlanmon.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+

From ab739462892b4cf8f7971ae22b637f2047722002 Mon Sep 17 00:00:00 2001
From: Pierre LALET <pierre.lalet@cea.fr>
Date: Wed, 16 May 2018 00:17:17 +0200
Subject: [PATCH 2/2] ARP: fix the l2 source address check

ARP_Analyzer::NextPacket() incorrectly assumed that the MAC source
address was at data+6 (which is fine for classical ARP over Ethernet
frames but incorrect for ARP over Wi-Fi for example) and the
destination was at data.

Use pkt->l2_src and pkt->l2_dst instead, set by Packet::ProcessLayer2().
---
 src/analyzer/protocol/arp/ARP.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/analyzer/protocol/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc
index b9af26ecfa..83166bd149 100644
--- a/src/analyzer/protocol/arp/ARP.cc
+++ b/src/analyzer/protocol/arp/ARP.cc
@@ -140,7 +140,7 @@ void ARP_Analyzer::NextPacket(double t, const Packet* pkt)
 
 
 	// Check MAC src address = ARP sender MAC address.
-	if ( memcmp((const char*) (data+6), ar_sha(ah), ah->ar_hln) )
+	if ( memcmp(pkt->l2_src, ar_sha(ah), ah->ar_hln) )
 		{
 		BadARP(ah, "weird-arp-sha");
 		return;
@@ -149,12 +149,12 @@ void ARP_Analyzer::NextPacket(double t, const Packet* pkt)
 	// Check the code is supported.
 	switch ( ntohs(ah->ar_op) ) {
 	case ARPOP_REQUEST:
-		RREvent(arp_request, data+6, data,
+		RREvent(arp_request, pkt->l2_src, pkt->l2_dst,
 				ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah));
 		break;
 
 	case ARPOP_REPLY:
-		RREvent(arp_reply, data+6, data,
+		RREvent(arp_reply, pkt->l2_src, pkt->l2_dst,
 				ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah));
 		break;