mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 22:58:20 +00:00
0aecca979e
The ICMP/ICMPv6 analyzers function correctly when full packets have not been captured, but everything up to and including the ICMP header is there (e.g. the functions that inspect ICMP error message context correctly check the caplen to see if more info can be extracted). The "Should have been caught earlier already." comment may have referred to NetSessions::CheckHeaderTrunc, which works as intended to catch cases where the ICMP header is not there in full, but then the assert was still not correctly formulated for that... Also changed the ICMP checksum calculation to not occur when the full packet has not been captured, which seems consistent with what the UDP analysis does.
22 lines
875 B
Text
22 lines
875 B
Text
# Truncated IP packet's should not be analyzed, and generate truncated_IP weird
|
|
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/ip4-trunc.pcap
|
|
# @TEST-EXEC: mv weird.log output
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/ip6-trunc.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/ip6-ext-trunc.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
|
|
# If an ICMP packet's payload is truncated due to too small snaplen,
|
|
# the checksum calculation is bypassed (and Bro doesn't crash, of course).
|
|
|
|
# @TEST-EXEC: rm -f weird.log
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/icmp-payload-trunc.pcap
|
|
# @TEST-EXEC: test ! -e weird.log
|
|
|
|
# If an ICMP packet has the ICMP header truncated due to too small snaplen,
|
|
# an internally_truncated_header weird gets generated.
|
|
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/icmp-header-trunc.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
# @TEST-EXEC: btest-diff output
|