- For RH0 headers with non-zero segments left, a "routing0_segleft"
flow_weird event is raised (with a destination indicating the last
address in the routing header), and an "rh0_segleft" event can also
be handled if the other contents of the packet header are of interest.
No further analysis is done as the complexity required to correctly
identify destination endpoints of connections doesn't seem worth it
as RH0 has been deprecated by RFC 5095.
- For RH0 headers without any segments left, a "routing0_header"
flow_weird event is raised, but further analysis still occurs
as normal.
- New script measures a couple of aspects of SMTP traffic.
- Existing metrics scripts had a small amount of work done
to make them work with changes to metrics framework.
- flow_weird event with name argument value of "routing0_hdr" is raised
for packets containing an IPv6 routing type 0 header because this
type of header is now deprecated according to RFC 5095.
- packets with a routing type 0 header and non-zero segments left
now use the last address in that header in order to associate
with a connection/flow and for calculating TCP/UDP checksums.
- added a set of IPv4/IPv6 TCP/UDP checksum unit tests
* topic/jsiwek/ipv6-ext-headers:
Cosmetics in preparation for merge.
Removing remaining comments. Looks fine.
Refactor script-layer IPv6 ext. header chain (addresses #795)
Changes to IPv6 ext. header parsing (addresses #795).
Fix ipv6_ext_headers event and add routing0_data_to_addrs BIF.
Remove the default "tcp or udp or icmp" filter.
Merge remote-tracking branch 'origin/topic/jsiwek/ipv6-ext-headers'
Add unit test for IPv6 fragment reassembly.
Update PacketFilter/Discarder code for IP version independence.
Add a few comments to IP.h
Fix some IPv6 header related bugs.
Add IPv6 fragment reassembly.
Add handling for IPv6 extension header chains (addresses #531)
Closes#795.
- Metrics:ID enum has been replaced with strings.
- Uniqueness can now be measured with the Metrics::add_unique function.
- Filters can change the index value with the $normalize_func field.
This do not have to be present in the input file and are marked as &optional in the record description.
Those can e.g. be used to create field values on the file in a predicate while reading a file - example:
Input::add_table([$source="input.log", $name="input", $idx=Idx, $val=Val, $destination=servers,
$pred(typ: Input::Event, left: Idx, right: Val) = { right$notb = !right$b; return T; }
In response to feedback from Robin:
- rename "ip_hdr" to "ip4_hdr"
- pkt_hdr$ip6 is now of type "ip6_hdr" instead of "ip6_hdr_chain"
- "ip6_hdr_chain" no longer contains an "ip6_hdr" field, instead
it's the other way around, "ip6_hdr" contains an "ip6_hdr_chain"
- other internal refactoring
support reading from commands by adppending | to the filename.
support streaming reads from command.
Fix something to make rearead work better. (magically happened)
Note that fdstream.h is from boost and has a separate license:
* (C) Copyright Nicolai M. Josuttis 2001.
* Permission to copy, use, modify, sell and distribute this software
* is granted provided this copyright notice appears in all copies.
* This software is provided "as is" without express or implied
* warranty, and with no claim as to its suitability for any purpose.
