From 4336de6651248f6b2deace2019b1187b830fdb44 Mon Sep 17 00:00:00 2001 From: Jeff Barber Date: Fri, 26 Jul 2019 09:51:13 -0600 Subject: [PATCH] Duplicate TCP segment should trigger tcp_multiple_retransmissions --- src/analyzer/protocol/tcp/TCP.cc | 4 +++- .../Baseline/core.pppoe-over-qinq/conn.log | 6 +++--- testing/btest/Baseline/core.tcp.tcp-dups/out | 3 +++ .../conn.log | 6 +++--- .../scripts.base.protocols.irc.basic/conn.log | 6 +++--- .../all-events.log | 2 +- testing/btest/Traces/tcp/ssh-dups.pcap | Bin 0 -> 62870 bytes testing/btest/core/tcp/tcp-dups.zeek | 11 +++++++++++ 8 files changed, 27 insertions(+), 11 deletions(-) create mode 100644 testing/btest/Baseline/core.tcp.tcp-dups/out create mode 100644 testing/btest/Traces/tcp/ssh-dups.pcap create mode 100644 testing/btest/core/tcp/tcp-dups.zeek diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index 74e73b80e2..5be893fd8e 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -891,6 +891,8 @@ static void init_endpoint(TCP_Endpoint* endpoint, TCP_Flags flags, // numbering consistent. endpoint->InitAckSeq(first_seg_seq - 1); endpoint->InitStartSeq(first_seg_seq - 1); + // But ensure first packet is not marked duplicate + last_seq = first_seg_seq; } endpoint->InitLastSeq(last_seq); @@ -1019,7 +1021,7 @@ static int32 update_last_seq(TCP_Endpoint* endpoint, uint32 last_seq, // ## endpoint->last_seq = last_seq; endpoint->UpdateLastSeq(last_seq); - else if ( delta_last < 0 && len > 0 ) + else if ( delta_last <= 0 && len > 0 ) endpoint->DidRxmit(); return delta_last; diff --git a/testing/btest/Baseline/core.pppoe-over-qinq/conn.log b/testing/btest/Baseline/core.pppoe-over-qinq/conn.log index 028dd982fb..2c2b146f4c 100644 --- a/testing/btest/Baseline/core.pppoe-over-qinq/conn.log +++ b/testing/btest/Baseline/core.pppoe-over-qinq/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2018-08-01-20-09-03 +#open 2019-07-26-20-04-59 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1523351398.449222 CHhAvVGS1DHFjwGM9 1.1.1.1 20394 2.2.2.2 443 tcp - 273.626833 11352 4984 SF - - 0 ShADdtaTTFf 44 25283 42 13001 - -#close 2018-08-01-20-09-03 +1523351398.449222 CHhAvVGS1DHFjwGM9 1.1.1.1 20394 2.2.2.2 443 tcp - 273.626833 11352 4984 SF - - 0 ShADdtaTTtFf 44 25283 42 13001 - +#close 2019-07-26-20-05-00 diff --git a/testing/btest/Baseline/core.tcp.tcp-dups/out b/testing/btest/Baseline/core.tcp.tcp-dups/out new file mode 100644 index 0000000000..600bef0294 --- /dev/null +++ b/testing/btest/Baseline/core.tcp.tcp-dups/out @@ -0,0 +1,3 @@ +RETRANSMITS:, [orig_h=192.168.0.102, orig_p=53206/tcp, resp_h=192.168.0.112, resp_p=22/tcp], T, 10, ShADTadtT +RETRANSMITS:, [orig_h=192.168.0.102, orig_p=53206/tcp, resp_h=192.168.0.112, resp_p=22/tcp], F, 10, ShADTadtTt +REMOVE:, [orig_h=192.168.0.102, orig_p=53206/tcp, resp_h=192.168.0.112, resp_p=22/tcp], ShADTadtTtFf diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log index af890ad64a..d4eff0f151 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-16-21 +#open 2019-07-26-20-05-28 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1078232251.833846 CHhAvVGS1DHFjwGM9 79.26.245.236 3378 254.228.86.79 8240 tcp smtp,http 6.722274 1685 223 SF - - 0 ShADadfF 14 2257 16 944 - -#close 2016-07-13-16-16-21 +1078232251.833846 CHhAvVGS1DHFjwGM9 79.26.245.236 3378 254.228.86.79 8240 tcp smtp,http 6.722274 1685 223 SF - - 0 ShADadtTfF 14 2257 16 944 - +#close 2019-07-26-20-05-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log index d7064790ae..b2abaa7126 100644 --- a/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-16-28 +#open 2019-07-26-20-10-57 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1311189318.898709 ClEkJM2Vm5giqnMf4h 192.168.1.77 57655 209.197.168.151 1024 tcp irc-dcc-data 2.256935 124 42208 SF - - 0 ShAdDaFf 28 1592 43 44452 - -1311189164.064603 CHhAvVGS1DHFjwGM9 192.168.1.77 57640 66.198.80.67 6667 tcp irc 178.237017 453 25404 S3 - - 0 ShADdaf 63 3761 52 28194 - -#close 2016-07-13-16-16-28 +1311189164.064603 CHhAvVGS1DHFjwGM9 192.168.1.77 57640 66.198.80.67 6667 tcp irc 178.237017 453 25404 S3 - - 0 ShADdTtaf 63 3761 52 28194 - +#close 2019-07-26-20-10-58 diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index 753df3ecca..f6a43528ff 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -1043,7 +1043,7 @@ [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, ntp=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=[ts=1437831787.914113, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=, rcptto=, date=, from=, to=, cc=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=, path=[192.168.133.102, 192.168.133.100], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] 1437831800.217854 connection_state_remove - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, ntp=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dtA, uid=CP5puj4I8PtEU4qzYg, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, ntp=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 connection_state_remove [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, ntp=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] diff --git a/testing/btest/Traces/tcp/ssh-dups.pcap b/testing/btest/Traces/tcp/ssh-dups.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cbe8ba8f35168aa0f511b577283425ba80fc70fa GIT binary patch literal 62870 zcmeHQ2|QI@*T3c|Q$nIbBbhVHkVYz^lnBX~Df5(>G$|>iLKG?UJX4A&p_Cyd$q*8f zIpW*;S%gHHKD{&nh);l5+0wuQ{H`O$ zCqYe#s6o3A#taJqtpeC)%G$I1NI0<-dMSApo*yLuKN|C(Lp6Kt!`KE`ItTg?G{fSQ z7%D@FG6n7p$1EJR5-m*v9*N9mWf<_^F7X(3~O!#eey!@Gm8!KNaLL zaJ1z;VPSZZR}TPU2rkD)7yW10OXSrvu(sv37Z8*?3Gyn0LhqzGyhxk_!G-_50|6X= z@4!iP@wLp-4DkhL#cQCCG31=5Yds|fKsmR1>=8ik+($qq@TfTz%s2xctSD$V>6zpI z9XtZ>?f-zjYCCgXJzh~^UISa)Geo}+uMPhLWB3O!3VGob%>OC0;C!D7&iZ8XG;lzg zIt83Jan$onzk)WLdL;;e{GYwB6&5Eg40xOY-QnN@-vF2W>rcS}Gk##+LKu9K<`D*; zqF!{)oJ^27?;#96Be4RyM;Lr&rGYT`RQf?@Mr<+?;>Ax*zvk#)e>#J{!LJB|&nVOp z2FGD*gu#&-9I3(4li+`OYWg)t|N2ve!O;yIq>F;X)_|*KbxaTjM;IJo@c#w|PX&GO zU#!8kq1TQw@YarM{Y2iIfi<|18EbH#!P?O%tm+r1#8*m`C}*&`0tfz*5V2WeJH(OL zbxs_YqegsBW7ZSET0%R-5v;WflP2owEpZibkbaOV90 zVIqWyFngMi-AiD`i*7>w8z(VHO@zT5pN7C|*d3Eqp6<8d?>j}!vw!!!nXZ-ttp^?1 z2)!YuPXu~IKVh$E@k*>bNQtrrn8Gm&M}5rx-7It5{kxMmE+M)i>&OlP@Kaar{BT5u0 zAqqY4`>q7Ti5;--O8O1A@9IDc`qv>IpzrEKkL|nmfS4KwuZSsE0|Og_!7xV;5xh-4 zwKE(1zLofEcH61Cp3EwxGhSZ$*N61tHXO;3yR=j{beKH4ZGYSycKrv5P7R;wGlpH2 zqCcMG(akLTFp(yL>Lj6(4~s~B286IP28v0H>~upN>Llbb-KL!+`pEBjgbp#u$2+=W z^_BZ|!7;$2=Q|&86BCM^{+;u#+^cfrN4u3YpLKHg4OJzpB@9U#aFyJs{K&Hls^LII zomoMXz)^ZM`5Ldt+Pdv)HmvRUNb_&ak@`GzgJWZZCOByNX9*?a^o#W>@78ArP%=kq zYWK6-y2q#_eSKm=vsq) z18hz|3gaMS{y^DHNkiqLO`G6()UjFZj-0B6xFL-)ZKc=V^2etIZpYQ83HGmSZaYfJ zaxUNzx3w#?$IlouVNqK0pa=WAPP(t(U?Y*ayVUixINyfq*BNO%lYc`5M3?D zH=s@*rZt+XFG&bNec1zZ(&Cg@WU0c_piU=QgT;{q;s|BT ztV}Hw%^7p=u2_A}~@6JHX5$*peqFDFd=fY@0Hc!>W=glh!de(l7UJKb&(SfvM?BGJxu z&1}eOy}|FybFqW4{Mq+*MQtT!(ZH5sh&iGi6F>icZu8u zP#oS|32nJJCCULDeL?DhV-}9!i32cxvX0>89}JEl|9szui=z%-9zCNTeTNPQOMcVA zf=@?Q5SiUI5S$oxO!^@nT1EfK{fAi4wY)D~e20U#hUpszaYkx(t)(4Sd97q0dRwUH z74_CP&=$y9{kLNk%}#{^4}w9DS?pk(*oEe07d&2`@Dr(LgMCylPb@F5g1o%$rJ|@u zt8^CGi}xk*9Cq|VSE&m<_TTnOc8+H0^{=y7^FFrk%-F*x9c{~Zc87kiWy^C2fPRFW z#s4=f6gU>n+x2X^T27nMygfaC6974T6}0iY`8&C`an)(h8-)eOHu z`6)UQ)-f_Q>ABOmYVrpM4qq3mlHRtA?e!8x#zS9cdAUlOluFEtt_TrBV@sEDT| zJjPkuO?Oy7>BR9{TQu}760Q~OFla%2-pZ`KKmWkxqnV<^tZD1QDQY+CS5#H5T1SRD zbk{$3sP&t)N4LIIg_RQJfHBv;o;%k!Iju3~3oOcQVBq>lZE#eWyS}}bf27~QoO*xQCP3v z-zU#^ZGF~-pEM+>Z}}svDpuk-{cVgx&l%8%wvHRk!MnVl zU)I?@xPt$4(W&+MoZ@fmLr*sG+j5%={~Rjber}EIhCQ0wEIyM4`h27j=?6(v4LCzxJ6|MpyUl1yf`$&WpG0nAOb zeVjQ;rb4zn>kH2N2=qVX@h3NtUfR|;nAWMvaw6Hfnp<PrW$hD!U2~qH1joYPAZzdhaK+wCU!6yIe;kTOmFV+#-O5Bn=P_B1t z?Y6V}&&ue(4UDUuEN-j)w(RS=m$@d=>>);4GA!3)PdGobS2NldxNIp`uNE;cFS zl^O%X$&Z%n8cV*_F{*{N8e$#9I!NpwvGc#jY+hRzKCk_7Sy#*19n5QgP^n|*W8z?5 zyB>1o;*|JJfeKXt_TRyQKd&V$z|3ni=yB(@lQ@ETZA%3fM@fidV~7;f`-k`Lj25(^ z!mWd@5@ap!M#s6rl%KVv=p}JWHD4kR+^-5r*i3Y{#ivxaqmF$ zF{Yyv1$&AQeshuEPf5dc!{zXkK%3YryPmj{J{#6kTk%jl;CrWR==A`aNd8<^Z+9lQ z^IcqP%Q^~T&&my}A9`R*zvMuZV6Od^vPZ|2Bv{x5x2!A{Pdw#keX)11OZ)?tWCzpb z&wtiXJ#stIap^vt5mDtDLPIJx6|;RCwkvSaGRCm`-FtbV{G)oi?mf@-ryiPKq7A7s z-&dMbQMb=1CR@sf(9U6L;?Wc1lJ#+ylGQSdU%We`vA$;G+A5k`2ic?_c8))}5SXXN zPsC;{q<)1;UAyzn+wuJTcZGNTp3+HvK>1F*XplF&IrKR~^wpJ$N<+%hL57HJ8cgL+ z%W~CTml9dfk4dY?abAdee*8=2Gqxv;GL)sdJnL;9kJ7|SjU}6UjwyJ$aCnoLRz7p6 zXRO_~J!N0JS=R$IheoAq9~-P6Y6m@dFu1N+Ac(2f`j%3-XE@`zjEoO@S9fjVVy)H^ zr8=H(ySB)k^{q7#ivn%A@1XDF$2I{T4sJOUBH0(OP<9;poY%t_(BONa_ooWyhoS&e zYoj*#*M?%(Qqwy3A1^n`znMpAP0o5K-m;v`liq0)%BmQ@8*WY}*{CYxO!IqujYoks%zn4|*C4c5azTE0v#A?F zBbRcd7q{*@_jY@7XGPl0+e#+Z=vI>r5uVv}B7MX^=do*@sP>r-7}JP%Bi@a8H)_VW zL?GOaa5uu;NM(XlCjZ&WB=!&$N*k2iaNzgNQ2P^m(Cf8VaQkM??tUVTV7-=Lo!1F$ z-;4+J%_N-%g)Jo7I8yQ&b;-(GWp{o)&veBtA;?*(oa7;_gAi^1DkOIuUiiGT5v->= z2gCJL@^I{YNgB+Tc%W?-r^Iq~DpU&aeK_#vov296yfX{$`#UCa1oKXkGF%+@3#Sa5 z7_t%+hoiQC@Y#Jos43v$J8J4f_lic06DT->i$3mk3NcCXs0`qic-ZT6WMel)ePJh6 zW+JG45~K^~BXe!2K0 zrh}`NY^Okpf*uwe`1zD@V`4AFkreN{$eb}af_&<;bt<2J&44%t+`bh(;x$mdH`VDl zN%*Eq%sZ1el1*^yi4cWz2qrf0Cd8~d;kQk%z46^ePl;}E2d>UjWCsZ(^%^_*!{2g7 z9pLs8u4WMM-p3OidqzXq&#KGPhk^9?&FdA{H!+<4(RRN(=I2DQ{aywkN@Yt{Ur(`J zUGh)*1l7n40$nyX9`}gUwdQ&yapB&pj2j-u?pN6h6JJqYF0;Oo&CJ_N+vPHu62BUm zU2R!ceC!8_ElmXt^{1<2*_JpK3s%_)DQg!-3v|*FQjMZESi2B~EjcJ8om-{rJszld zUb)-e#$zi}M8%HR6OH`z9EDz)SI66xYZ|`%49=6}wqi)L;`AtyEHbEcQFz4rRqNxh zS-NS@-I8@(g{gOM4(vCyZf;H}b63k4j*o3siM#iCl|~LBLFD1&VM!lGmm?+;K03bH zF6C#_NW)Ii*Gr#b+nyTCyUZh|qLisMQL;v*Kn)dXSbBx_eyoAhODBaHNtPgK) zKF@Hqk2+aC_R4KWN4?4rch>%Tw?q9>iJN*XC0Uch){lliH2!g#u>7-yRiERI?{rUe zjU0juSLXIH_FeyRxlbx%!ZZHqvKvm4OJaq4f7<##%8*{Q!zk5xNFmzYYLz-^SM}9e zjrS*m_Z7>uJRNJM$xeEhu27U7*!BESYee<7sP=n3cUB-?gm@9+MF1w(7gZb+4gwRxtPhJ=*`85OP$i*o!l$a8G-ynW{i8_|} z9bKopM6&Sv$kFkW3;R9ez1a9E1@V&)ZMirl zMgSbAp7VppL%RuvG5wwlyl*t0#1Zs+cw%sI6eb~cFJ%oiq1~8sRX%M)mxxtuGac~{ zwz3*UA{||C5=n)^qs+xdKZO#4d0R7M)9zN6ULMuWJNI_Pe$bx9F)oZ)q?xnooyGp9 z@pW7hl}EORxV(P1+EM7Pn<<|%$H6aV)z>y_oV} zd-{sg4T^vRn&ke(#ym&Lnq_}%>W+@nu--(p%pp_9M!Qx;hevGN-IUy-_va7Z$~{c0 zjSAY=+NN$;-o1P@s3Jnp(Z%t7&6fc!UDbW$^>sJ<*gpwh=&`@yF2_^vOVX7Re!Zru zGh0#g*_y6f6ngem2X5@LPTLb*nz`h;LM;~)d$w&w$;!I{_Zi!bFC2Rtm-me{r28Bx z`^OaT#*_D2mk8$ve^Fa;47I=1jufnx^Jk zcOR2{vhy3>RrQ<-=5<1GzqY#gqt|j*$_7m~7z>D3AYOrZ1;P~wS0EYWpJkB58THw$ zx?DK14_%kX;ML{1ej-i#LH}H8x_|!lA*jnsVNP0{5_5zpQ3+s*2nQaHbg1yeel(77 zJ=*1gr$pwR-|fae z&sPolJoNpSH7F*?9lBbs8^HW-d@LF}FR6j}Ltk8+66*nuGTcg2y z#|duejjj*IV%UUTQJLgTtsq+dE!4Ot|vTTL0mL`Z0 z|9PhV^3F|7d@QTl%pdcM`h`LtLeNCeM0|5GL^{9dKg&OEYe4=P8%>;@e-@`iQ-C84 z$USh(%0H;YL3I9kft!Ea)?o7w3vT{-H)w1fl|@@Ig8F<+%PPNTDauSHRnna_QIqT} zHw#N^ zX5fmI+ASP=v_mdrTPUHMO`}Cp^W_8*zVhal*R|azbAz|;N@|+mExp}h!%jgmKwv0w}+3->E?>pb!Bgr_*u!iCMj+G~>jL4D2<^AfpgF0ulbFG5iC%<6R{!$z6>K}!* zPCgP+kCvPtx<%)yo1J^Jt?)Z%h)2QeH||28#tz6{lRC@#$~v>FZO~PpcBO~O7~B3G zKWrI9nVk*1R@D1wY$k}59XxSHlwd@DiP0+WrQus!H+2hBl^tAacR<}>-xr@d>?$83 zDC-_{kN+?yeQI7ryi_By+L5w`a1Z1w1XTo8#8($H1CWaS!@9T!*2O=XXV=AxQ{u{h zh@*QSz;Se>aW;;NQ)0X))vx;F!|47veE#2z{QVSB`C&w}b8^?BD+M>iANu0rlb8vv`dTpoST;kU z2mbyi6nGj9J zn$@OwkM=Oc(XvU~=KJ1zV`N4V66*wB9o_f&Ldm6fEPHO7_;pM~pX*fc_tb}2BU&8{ zf605ljqp{`X}iwBdq2>;cM^~HyaDgsz~#L@RXJAL!x`i&;@Uzg&#}~Lh}yhhf8=?W zBQ^1KnY3=DQQGr{lr76UpAtd4B3iM$_lFSPBSx}t-n#*K?>^+c&f1yr+NTO_wm2o4 z#!tt`->&yCI0D|&u*KqN8!FkSTDCM zy|*|erUsHOyxzm$2zc)&F&4)}z*s>ZQh zrL9=7w#xG|j1NTXU+~^~8XtTvBv2Hc_!g&vaBjCND$>+JrvC=UB-ir$}dm3b}Jd%E|!<5wZ!$!7m`o7kt zCvN$4JF-}NpW7y`zmc69VvT713*P%}gu~dU?K%hV{Y3Mg86NL}{TXw~l$$ihDT@kHV-upucuje3NFz+=J z>uPy2K;G-{nc_Vdul@AUW{XoIi6_N^d2bR&z4ObMW3cn)gg`dC!vp z@ZLr|-ZKNdXP))q;!4%6vM#SIQ&;q?)u>-TC~f+5d#bEpvfkCEoysF;?m0l{ zf#y9EJl+!nytfyR_u2sOwFS0V@~WtIaG83s6J8ASPz_UGIds(bljSFC6OEMo<6VSH z{n?>i5v^F>`$Gs*=`VaAOY>g9dzz5<+7xl(wGG;AaZ0>(n|k5Ahrto>p3e6v9O)ea z@3ol)TwSxgDzHnqSkacwkIY$FXvOf*ulBM0KEh{;rtLZh?-8KuJ!3rH1K-2Z9Ei(%gUoWQOBuJjcc{l? zHMTH`#I$Nv$h5L1?K-&U!)Of3sM@&xh;(y9*VlGvS41n8_x=#V2cBY{c?!92R=iF< z_Z08B9?gM(_aY$gwH%!puY=6cW{XqehC@UPulF!G0^S?{h{Z8KRC18H#71((55CaP z$!XQDWmVUkz7-FPRtsE>yXciBL6~YH<5AvF2(d=A{zbj_+Xy$zuZkp%mexFrs5uv~eu4PuRG{R`gvZG;murtLZh z?-8MS4}A{~;J(S{+}2?EQ(5r-xQRTP{wCA^#9ZFJ?53Av5zG2FJxIF$>^0|8rE6 zNYFgQhRZ`<%vc`E#^oXP-ck!C(hoIfPPtQ5)2-)rxL|45I=I?k3q9GO%z^D?K^wiK z70C5Z8AzNynG<-LQJdw=7k91$mt8rZ!x*1w41qt{dD`^eeD`@}Ih0KtACo-^@J`2*fBIsQp-Hh(NW ziP<0mEj_098_w!m&2yi4GstIN-ta#0^1V|yGWSA19w<8Zz_<93{+E=tiYLjzdpC-S zA0#ULL>O{dUitdbySFbf^5!5~|3;trw-MI$B>z=?N{Y@4ns|8u+%MUJLeD#}_37vj zIacQ0Z!ZbH=C=%Se>8tblF4%SqrL941nXRX$01(6;gW>fo=d7Dul%m+sk+jR$3y!f z+UKoL|1k28eHXsZv;_s?IT6-Xwd-ca^XLy~%f%_NAYhso=a{#Xq2uQ`Ui>6t;|Kek zh0$>sKhjc<*VWW^O|0{0ZY9asy>D-^SG%MWgLzB8$d@+{*jaA{tvLm;Mzmt*?SBYi z)hqunKHk9is2Rb=$3Up$=s2|5;*@v-;8+2cy5N`<9|cL|Fh0me@Z#eQHa_YwI06hO zKzs~5uD2b&_wEVjmUl(EJ1jz)v`TruOzcx-zWDP=Qd8;@<0mJL-hTEAAUox7LhsB# zn1KCy4S zMrYmqSeCrJCd=dtbDTotU~ad=t{1^Z(&GU%-1Tc` w+!!IOh9Qps4HCcJnZD{-TszO6w-#LxGsisWK+F(fV`ey1a*PmO_2QHGf3F~;+yDRo literal 0 HcmV?d00001 diff --git a/testing/btest/core/tcp/tcp-dups.zeek b/testing/btest/core/tcp/tcp-dups.zeek new file mode 100644 index 0000000000..0784cf7c36 --- /dev/null +++ b/testing/btest/core/tcp/tcp-dups.zeek @@ -0,0 +1,11 @@ +# @TEST-EXEC: zeek -C -r $TRACES/tcp/ssh-dups.pcap %INPUT >out +# @TEST-EXEC: btest-diff out + +event tcp_multiple_retransmissions(c: connection, is_orig: bool, threshold: count) +{ + print "RETRANSMITS:", c$id, is_orig, threshold, c$history; +} +event connection_state_remove(c: connection) +{ + print "REMOVE:", c$id, c$history; +}