mirror of
https://github.com/zeek/zeek.git
synced 2025-10-05 08:08:19 +00:00
0aecca979e
The ICMP/ICMPv6 analyzers function correctly when full packets have not been captured, but everything up to and including the ICMP header is there (e.g. the functions that inspect ICMP error message context correctly check the caplen to see if more info can be extracted). The "Should have been caught earlier already." comment may have referred to NetSessions::CheckHeaderTrunc, which works as intended to catch cases where the ICMP header is not there in full, but then the assert was still not correctly formulated for that... Also changed the ICMP checksum calculation to not occur when the full packet has not been captured, which seems consistent with what the UDP analysis does.
32 lines
1.1 KiB
Text
32 lines
1.1 KiB
Text
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path weird
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
|
#types time string addr port addr port string string bool string
|
|
1334160095.895421 - - - - - truncated_IP - F bro
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path weird
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
|
#types time string addr port addr port string string bool string
|
|
1334156241.519125 - - - - - truncated_IP - F bro
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path weird
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
|
#types time string addr port addr port string string bool string
|
|
1334094648.590126 - - - - - truncated_IP - F bro
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path weird
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
|
#types time string addr port addr port string string bool string
|
|
1338328954.078361 - - - - - internally_truncated_header - F bro
|