mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 23:28:20 +00:00
fd6f9e470f
Mostly this verifies that we actually have the full headers that we are trying to read in a packet. Addresses BIT-1463
28 lines
1.1 KiB
Text
28 lines
1.1 KiB
Text
# Truncated IP packet's should not be analyzed, and generate truncated_IP weird
|
|
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/ip4-trunc.pcap
|
|
# @TEST-EXEC: mv weird.log output
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/ip6-trunc.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/ip6-ext-trunc.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
|
|
# If an ICMP packet's payload is truncated due to too small snaplen,
|
|
# the checksum calculation is bypassed (and Bro doesn't crash, of course).
|
|
|
|
# @TEST-EXEC: rm -f weird.log
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/icmp-payload-trunc.pcap
|
|
# @TEST-EXEC: test ! -e weird.log
|
|
|
|
# If an ICMP packet has the ICMP header truncated due to too small snaplen,
|
|
# an internally_truncated_header weird gets generated.
|
|
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/icmp-header-trunc.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
|
|
# Truncated packets where the captured length is less than the length required
|
|
# for the packet header should also raise a Weird
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/trunc-hdr.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
|
|
# @TEST-EXEC: btest-diff output
|