osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
wireshark/test/suite_dissection.py

838 lines
47 KiB
Python
Raw Permalink Normal View History

Start porting our test scripts to Python. Add ctest support. Create Python versions of our various test shell scripts. Add CMake tests for each suite. Tests can now be run directly via test.py, via the "test" target, or via ctest, e.g. ctest --verbose --jobs 3 Add a testing chapter to the Developer's Guide. Add a way to disable ctest in dpkg-buildpackage. Suites completed: - capture - clopts - decryption - dissection Remaining suites: - fileformats - io - mergecap - nameres - text2pcap - unittests - wslua Change-Id: I8936e05edefc76a86b6a7a5da302e7461bbdda0f Reviewed-on: https://code.wireshark.org/review/27134 Petri-Dish: Gerald Combs <gerald@wireshark.org> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Gerald Combs <gerald@wireshark.org>
2018-04-03 00:12:23 +00:00
#
# Wireshark tests
# By Gerald Combs <gerald@wireshark.org>
#
# Ported from a set of Bash scripts which were copyright 2005 Ulf Lamping
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
'''Dissection tests'''
import os.path
import subprocesstest
import unittest
test: make it possible to use pytest-style test fixtures Currently all binaries must be available or no tests will be executed. This is inconvenient if you just want to test a single binary (e.g. text2pcap) without having to build epan. The problem is essentially that tests lack dependency annotations. To solve this problem, add the required dependencies as parameters to each test (so-called 'fixtures' in pytest). Skip a test if a binary (such as tshark) is unavailable. As a demonstration, suite_dissection.py is converted. Over time, tests should no longer depend on config.py due to explicit dependencies fixtures (listed in fixtures_ws.py). Since the unittest module does not support such dependency injections, create a small glue for use with pytest and an (incomplete) emulation layer for use with test.py. Tested with pytest 3.8.2 + Python 3.7.0 and pytest 3.0.3 + Python 3.4.3. Python 2.7 is not supported and will fail. Test commands: ~/wireshark/test/test.py -p ~/build/run WS_BIN_PATH=~/build/run pytest ~/wireshark/test -ra Change-Id: I6dc8c28f5c8b7bbc8f4c04838e9bf085cd22eb0b Ping-Bug: 14949 Reviewed-on: https://code.wireshark.org/review/30220 Tested-by: Petri Dish Buildbot Petri-Dish: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-10-15 14:07:30 +00:00
import fixtures
test: skip some tests on big endian machines. Dumpcap doesn't support fifos with streams created on a machine with different endianess. Until dumpcap will support that, we need to skip some tests so the whole test suite can pass. Ping-Bug: 15754 Change-Id: Ia7fdf833715bf975fcee76968a7c1d75d084bd6f Reviewed-on: https://code.wireshark.org/review/34173 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Dario Lombardo <lomato@gmail.com>
2019-08-03 20:07:55 +00:00
import sys
Start porting our test scripts to Python. Add ctest support. Create Python versions of our various test shell scripts. Add CMake tests for each suite. Tests can now be run directly via test.py, via the "test" target, or via ctest, e.g. ctest --verbose --jobs 3 Add a testing chapter to the Developer's Guide. Add a way to disable ctest in dpkg-buildpackage. Suites completed: - capture - clopts - decryption - dissection Remaining suites: - fileformats - io - mergecap - nameres - text2pcap - unittests - wslua Change-Id: I8936e05edefc76a86b6a7a5da302e7461bbdda0f Reviewed-on: https://code.wireshark.org/review/27134 Petri-Dish: Gerald Combs <gerald@wireshark.org> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Gerald Combs <gerald@wireshark.org>
2018-04-03 00:12:23 +00:00
BPv7: Add Bundle Protocol version 7 and BPSec dissectors from dtn-wireshark
2021-10-06 01:28:12 +00:00
TCPCLv4: Update TCPCL dissector to include version 4 from dtn-wireshark Some enhancements and visual fixes to version 3 dissector are also included.
2021-10-11 05:03:50 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
class case_dissect_dtn_tcpcl(subprocesstest.SubprocessTestCase):
def test_tcpclv3_xfer(self, cmd_tshark, features, dirs, capture_file):
self.assertRun((cmd_tshark,
'-r', capture_file('dtn_tcpclv3_bpv6_transfer.pcapng'),
'-Tfields', '-etcpcl.ack.length',
))
self.assertEqual(self.countOutput(r'1064'), 2)
def test_tcpclv4_xfer(self, cmd_tshark, features, dirs, capture_file):
self.assertRun((cmd_tshark,
'-r', capture_file('dtn_tcpclv4_bpv7_transfer.pcapng'),
'-Tfields', '-etcpcl.v4.xfer_ack.ack_len',
))
self.assertEqual(self.countOutput(r'199'), 2)
BPv7: Add Bundle Protocol version 7 and BPSec dissectors from dtn-wireshark
2021-10-06 01:28:12 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
class case_dissect_bpv7(subprocesstest.SubprocessTestCase):
def test_bpv7_admin_status(self, cmd_tshark, features, dirs, capture_file):
self.assertRun((cmd_tshark,
'-r', capture_file('dtn_udpcl_bpv7_bpsec_bib_admin.pcapng'),
'-Tfields', '-ebpv7.status_rep.identity',
))
self.assertTrue(self.grepOutput(r'Source: ipn:93.185, DTN Time: 1396536125, Seq: 281'))
def test_bpv7_bpsec_bib(self, cmd_tshark, features, dirs, capture_file):
self.assertRun((cmd_tshark,
'-r', capture_file('dtn_udpcl_bpv7_bpsec_bib_admin.pcapng'),
'-Tfields', '-ebpsec.asb.ctxid',
))
self.assertEqual(self.countOutput(r'1'), 1)
def test_bpv7_bpsec_bib_admin_type(self, cmd_tshark, features, dirs, capture_file):
# BIB doesn't alter payload
self.assertRun((cmd_tshark,
'-r', capture_file('dtn_udpcl_bpv7_bpsec_bib_admin.pcapng'),
'-Tfields', '-ebpv7.admin_rec.type_code',
))
self.assertEqual(self.countOutput(r'1'), 1)
def test_bpv7_bpsec_bcb(self, cmd_tshark, features, dirs, capture_file):
self.assertRun((cmd_tshark,
'-r', capture_file('dtn_udpcl_bpv7_bpsec_bcb_admin.pcapng'),
'-Tfields', '-ebpsec.asb.ctxid',
))
self.assertEqual(self.countOutput(r'2'), 1)
def test_bpv7_bpsec_bcb_admin_type(self, cmd_tshark, features, dirs, capture_file):
# BCB inhibits payload dissection
self.assertRun((cmd_tshark,
'-r', capture_file('dtn_udpcl_bpv7_bpsec_bcb_admin.pcapng'),
'-Tfields', '-ebpv7.admin_rec.type_code',
))
self.assertEqual(self.countOutput(r'1'), 0)
COSE dissector from dtn-wireshark project
2021-05-11 03:50:41 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
class case_dissect_cose(subprocesstest.SubprocessTestCase):
'''
These test captures were generated from the COSE example files with command:
for FN in test/captures/cose*.cbordiag; do python3 tools/generate_cbor_pcap.py --content-type 'application/cose' --infile $FN --outfile ${FN%.cbordiag}.pcap; done
'''
def test_cose_sign_tagged(self, cmd_tshark, features, dirs, capture_file):
self.assertRun((cmd_tshark,
'-r', capture_file('cose_sign_tagged.pcap'),
'-Tfields', '-ecose.msg.signature',
))
self.assertTrue(self.grepOutput('e2aeafd40d69d19dfe6e52077c5d7ff4e408282cbefb5d06cbf414af2e19d982ac45ac98b8544c908b4507de1e90b717c3d34816fe926a2b98f53afd2fa0f30a'))
def test_cose_sign1_tagged(self, cmd_tshark, features, dirs, capture_file):
self.assertRun((cmd_tshark,
'-r', capture_file('cose_sign1_tagged.pcap'),
'-Tfields', '-ecose.msg.signature',
))
self.assertTrue(self.grepOutput('8eb33e4ca31d1c465ab05aac34cc6b23d58fef5c083106c4d25a91aef0b0117e2af9a291aa32e14ab834dc56ed2a223444547e01f11d3b0916e5a4c345cacb36'))
def test_cose_encrypt_tagged(self, cmd_tshark, features, dirs, capture_file):
self.assertRun((cmd_tshark,
'-r', capture_file('cose_encrypt_tagged.pcap'),
'-Tfields', '-ecose.kid',
))
self.assertTrue(self.grepOutput('6f75722d736563726574'))
def test_cose_encrypt0_tagged(self, cmd_tshark, features, dirs, capture_file):
self.assertRun((cmd_tshark,
'-r', capture_file('cose_encrypt0_tagged.pcap'),
'-Tfields', '-ecose.iv',
))
self.assertTrue(self.grepOutput('89f52f65a1c580933b5261a78c'))
def test_cose_mac_tagged(self, cmd_tshark, features, dirs, capture_file):
self.assertRun((cmd_tshark,
'-r', capture_file('cose_mac_tagged.pcap'),
'-Tfields', '-ecose.kid',
))
self.assertTrue(self.grepOutput('30313863306165352d346439622d343731622d626664362d656566333134626337303337'))
def test_cose_mac0_tagged(self, cmd_tshark, features, dirs, capture_file):
self.assertRun((cmd_tshark,
'-r', capture_file('cose_mac0_tagged.pcap'),
'-Tfields', '-ecose.msg.mac_tag',
))
self.assertTrue(self.grepOutput('726043745027214f'))
def test_cose_keyset(self, cmd_tshark, features, dirs, capture_file):
self.assertRun((cmd_tshark,
'-r', capture_file('cose_keyset.pcap'),
'-Tfields', '-ecose.key.k',
))
self.assertTrue(self.grepOutput('849b57219dae48de646d07dbb533566e976686457c1491be3a76dcea6c427188'))
Protobuf/gRPC: add test cases for Protobuf and gRPC Add case_dissect_protobuf and case_dissect_grpc in test/suite_dissection.py. Add *.proto into the sub directories of test/protobuf_lang_files/. Run command like 'pytest --program-path .\run\Debug\ -k "grpc or protobuf"' in build directory (in windows) to test these cases only.
2020-11-22 13:55:47 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
class case_dissect_grpc(subprocesstest.SubprocessTestCase):
def test_grpc_with_json(self, cmd_tshark, features, dirs, capture_file):
'''gRPC with JSON payload'''
if not features.have_nghttp2:
self.skipTest('Requires nghttp2.')
self.assertRun((cmd_tshark,
'-r', capture_file('grpc_person_search_json_with_image.pcapng.gz'),
'-d', 'tcp.port==50052,http2',
'-Y', 'grpc.message_length == 208 && json.value.string == "87561234"',
))
self.assertTrue(self.grepOutput('GRPC/JSON'))
def test_grpc_with_protobuf(self, cmd_tshark, features, dirs, capture_file):
'''gRPC with Protobuf payload'''
if not features.have_nghttp2:
self.skipTest('Requires nghttp2.')
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('grpc_person_search_protobuf_with_image.pcapng.gz'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-d', 'tcp.port==50051,http2',
'-Y', 'protobuf.message.name == "tutorial.PersonSearchRequest"'
' || (grpc.message_length == 66 && protobuf.field.value.string == "Jason"'
' && protobuf.field.value.int64 == 1602601886)',
))
self.assertTrue(self.grepOutput('tutorial.PersonSearchService/Search')) # grpc request
self.assertTrue(self.grepOutput('tutorial.Person')) # grpc response
http2: fix the stream mode reassembly issue - Point all MSP related DATA frames to their MSP instead of using wmem_tree_lookup32_array_le(). - Add test_grpc_streaming_mode_reassembly testcase for verifying this feature. close #17633
2021-10-20 16:26:19 +00:00
def test_grpc_streaming_mode_reassembly(self, cmd_tshark, features, dirs, capture_file):
'''gRPC/HTTP2 streaming mode reassembly'''
if not features.have_nghttp2:
self.skipTest('Requires nghttp2.')
self.assertRun((cmd_tshark,
'-r', capture_file('grpc_stream_reassembly_sample.pcapng.gz'),
'-d', 'tcp.port==50051,http2',
'-d', 'tcp.port==44363,http2',
'-2', # make http2.body.reassembled.in available
'-Y', # Case1: In frame28, one http DATA contains 4 completed grpc messages (json data seq=1,2,3,4).
'(frame.number == 28 && grpc && json.value.number == "1" && json.value.number == "2"'
' && json.value.number == "3" && json.value.number == "4" && http2.body.reassembled.in == 45) ||'
# Case2: In frame28, last grpc message (the 5th) only has 4 bytes, which need one more byte
# to be a message head. a completed message is reassembled in frame45. (json data seq=5)
'(frame.number == 45 && grpc && http2.body.fragment == 28 && json.value.number == "5"'
' && http2.body.reassembled.in == 61) ||'
# Case3: In frame45, one http DATA frame contains two partial fragment, one is part of grpc
# message of previous http DATA (frame28), another is first part of grpc message of next http
# DATA (which will be reassembled in next http DATA frame61). (json data seq=6)
'(frame.number == 61 && grpc && http2.body.fragment == 45 && json.value.number == "6") ||'
# Case4: A big grpc message across frame100, frame113, frame126 and finally reassembled in frame139.
'(frame.number == 100 && grpc && http2.body.reassembled.in == 139) ||'
'(frame.number == 113 && !grpc && http2.body.reassembled.in == 139) ||'
'(frame.number == 126 && !grpc && http2.body.reassembled.in == 139) ||'
'(frame.number == 139 && grpc && json.value.number == "9") ||'
# Case5: An large grpc message of 200004 bytes.
'(frame.number == 164 && grpc && grpc.message_length == 200004)',
))
self.assertEqual(self.countOutput('DATA'), 8)
HTTP2/GRPC: support using fake headers if first HEADERS frame is missing Add an UAT for configuring fake headers according to the server port, stream id and direction of the long-lived stream that we start capturing packets after it is established. That helps to parsing the DATAs captured subsequently. A testcase also added. close #17691
2021-10-28 10:07:35 +00:00
def test_grpc_http2_fake_headers(self, cmd_tshark, features, dirs, capture_file):
'''HTTP2/gRPC fake headers (used when HTTP2 initial HEADERS frame is missing)'''
if not features.have_nghttp2:
self.skipTest('Requires nghttp2.')
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('grpc_person_search_protobuf_with_image-missing_headers.pcapng.gz'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'uat:http2_fake_headers: "{}","{}","{}","{}","{}","{}"'.format(
'50051','3','IN',':path','/tutorial.PersonSearchService/Search','TRUE'),
'-o', 'uat:http2_fake_headers: "{}","{}","{}","{}","{}","{}"'.format(
'50051','0','IN','content-type','application/grpc','TRUE'),
'-o', 'uat:http2_fake_headers: "{}","{}","{}","{}","{}","{}"'.format(
'50051','0','OUT','content-type','application/grpc','TRUE'),
'-d', 'tcp.port==50051,http2',
'-Y', 'protobuf.field.value.string == "Jason" || protobuf.field.value.string == "Lily"',
))
self.assertEqual(self.countOutput('DATA'), 2)
GRPC: Add support for gRPC-Web Supporting both application/grpc-web and application/grpc-web-text. Add test case for grpc-web(-text). close #17939
2022-02-22 16:37:28 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
class case_dissect_grpc_web(subprocesstest.SubprocessTestCase):
def test_grpc_web_unary_call_over_http1(self, cmd_tshark, features, dirs, capture_file):
'''gRPC-Web unary call over http1'''
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('grpc_web.pcapng.gz'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-d', 'tcp.port==57226,http',
'-Y', '(tcp.stream eq 0) && (pbf.greet.HelloRequest.name == "88888888"'
'|| pbf.greet.HelloRequest.name == "99999999"'
'|| pbf.greet.HelloReply.message == "Hello 99999999")',
))
self.assertEqual(self.countOutput('greet.HelloRequest'), 2)
self.assertEqual(self.countOutput('greet.HelloReply'), 1)
def test_grpc_web_unary_call_over_http2(self, cmd_tshark, features, dirs, capture_file):
'''gRPC-Web unary call over http2'''
if not features.have_nghttp2:
self.skipTest('Requires nghttp2.')
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('grpc_web.pcapng.gz'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-d', 'tcp.port==57228,http2',
'-Y', '(tcp.stream eq 1) && (pbf.greet.HelloRequest.name == "88888888"'
'|| pbf.greet.HelloRequest.name == "99999999"'
'|| pbf.greet.HelloReply.message == "Hello 99999999")',
))
self.assertEqual(self.countOutput('greet.HelloRequest'), 2)
self.assertEqual(self.countOutput('greet.HelloReply'), 1)
def test_grpc_web_reassembly_and_stream_over_http2(self, cmd_tshark, features, dirs, capture_file):
'''gRPC-Web data reassembly and server stream over http2'''
if not features.have_nghttp2:
self.skipTest('Requires nghttp2.')
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('grpc_web.pcapng.gz'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-d', 'tcp.port==57228,http2',
'-Y', '(tcp.stream eq 2) && ((pbf.greet.HelloRequest.name && grpc.message_length == 80004)'
'|| (pbf.greet.HelloReply.message && (grpc.message_length == 23 || grpc.message_length == 80012)))',
))
self.assertEqual(self.countOutput('greet.HelloRequest'), 2)
self.assertEqual(self.countOutput('greet.HelloReply'), 4)
def test_grpc_web_text_unary_call_over_http1(self, cmd_tshark, features, dirs, capture_file):
'''gRPC-Web-Text unary call over http1'''
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('grpc_web.pcapng.gz'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-d', 'tcp.port==57226,http',
'-Y', '(tcp.stream eq 5) && (pbf.greet.HelloRequest.name == "88888888"'
'|| pbf.greet.HelloRequest.name == "99999999"'
'|| pbf.greet.HelloReply.message == "Hello 99999999")',
))
self.assertTrue(self.grepOutput('GRPC-Web-Text'))
self.assertEqual(self.countOutput('greet.HelloRequest'), 2)
self.assertEqual(self.countOutput('greet.HelloReply'), 1)
def test_grpc_web_text_unary_call_over_http2(self, cmd_tshark, features, dirs, capture_file):
'''gRPC-Web-Text unary call over http2'''
if not features.have_nghttp2:
self.skipTest('Requires nghttp2.')
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('grpc_web.pcapng.gz'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-d', 'tcp.port==57228,http2',
'-Y', '(tcp.stream eq 6) && (pbf.greet.HelloRequest.name == "88888888"'
'|| pbf.greet.HelloRequest.name == "99999999"'
'|| pbf.greet.HelloReply.message == "Hello 99999999")',
))
self.assertTrue(self.grepOutput('GRPC-Web-Text'))
self.assertEqual(self.countOutput('greet.HelloRequest'), 2)
self.assertEqual(self.countOutput('greet.HelloReply'), 1)
def test_grpc_web_text_reassembly_and_stream_over_http2(self, cmd_tshark, features, dirs, capture_file):
'''gRPC-Web-Text data reassembly and server stream over http2'''
if not features.have_nghttp2:
self.skipTest('Requires nghttp2.')
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('grpc_web.pcapng.gz'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-d', 'tcp.port==57228,http2',
'-Y', '(tcp.stream eq 8) && ((pbf.greet.HelloRequest.name && grpc.message_length == 80004)'
'|| (pbf.greet.HelloReply.message && (grpc.message_length == 23 || grpc.message_length == 80012)))',
))
self.assertTrue(self.grepOutput('GRPC-Web-Text'))
self.assertEqual(self.countOutput('greet.HelloRequest'), 2)
self.assertEqual(self.countOutput('greet.HelloReply'), 4)
def test_grpc_web_text_reassembly_over_http1(self, cmd_tshark, features, dirs, capture_file):
'''gRPC-Web-Text data reassembly over http1'''
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('grpc_web.pcapng.gz'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-d', 'tcp.port==57226,http',
'-Y', '(tcp.stream eq 7) && (grpc.message_length == 80004 || grpc.message_length == 80010)',
))
self.assertTrue(self.grepOutput('GRPC-Web-Text'))
self.assertEqual(self.countOutput('greet.HelloRequest'), 1)
self.assertEqual(self.countOutput('greet.HelloReply'), 1)
Add brotli decompression support for HTTP and HTTP2 dissectors. Change-Id: I9c09f55673187f6fee723fcd72798fb6b9958b03 Reviewed-on: https://code.wireshark.org/review/32745 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-04-10 10:52:52 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
class case_dissect_http(subprocesstest.SubprocessTestCase):
def test_http_brotli_decompression(self, cmd_tshark, features, dirs, capture_file):
'''HTTP brotli decompression'''
if not features.have_brotli:
self.skipTest('Requires brotli.')
self.assertRun((cmd_tshark,
'-r', capture_file('http-brotli.pcapng'),
'-Y', 'http.response.code==200',
'-Tfields', '-etext',
))
self.assertTrue(self.grepOutput('This is a test file for testing brotli decompression in Wireshark'))
test: make it possible to use pytest-style test fixtures Currently all binaries must be available or no tests will be executed. This is inconvenient if you just want to test a single binary (e.g. text2pcap) without having to build epan. The problem is essentially that tests lack dependency annotations. To solve this problem, add the required dependencies as parameters to each test (so-called 'fixtures' in pytest). Skip a test if a binary (such as tshark) is unavailable. As a demonstration, suite_dissection.py is converted. Over time, tests should no longer depend on config.py due to explicit dependencies fixtures (listed in fixtures_ws.py). Since the unittest module does not support such dependency injections, create a small glue for use with pytest and an (incomplete) emulation layer for use with test.py. Tested with pytest 3.8.2 + Python 3.7.0 and pytest 3.0.3 + Python 3.4.3. Python 2.7 is not supported and will fail. Test commands: ~/wireshark/test/test.py -p ~/build/run WS_BIN_PATH=~/build/run pytest ~/wireshark/test -ra Change-Id: I6dc8c28f5c8b7bbc8f4c04838e9bf085cd22eb0b Ping-Bug: 14949 Reviewed-on: https://code.wireshark.org/review/30220 Tested-by: Petri Dish Buildbot Petri-Dish: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-10-15 14:07:30 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
Start porting our test scripts to Python. Add ctest support. Create Python versions of our various test shell scripts. Add CMake tests for each suite. Tests can now be run directly via test.py, via the "test" target, or via ctest, e.g. ctest --verbose --jobs 3 Add a testing chapter to the Developer's Guide. Add a way to disable ctest in dpkg-buildpackage. Suites completed: - capture - clopts - decryption - dissection Remaining suites: - fileformats - io - mergecap - nameres - text2pcap - unittests - wslua Change-Id: I8936e05edefc76a86b6a7a5da302e7461bbdda0f Reviewed-on: https://code.wireshark.org/review/27134 Petri-Dish: Gerald Combs <gerald@wireshark.org> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Gerald Combs <gerald@wireshark.org>
2018-04-03 00:12:23 +00:00
class case_dissect_http2(subprocesstest.SubprocessTestCase):
test: convert some more tests to use fixtures Continue the conversion from use of globals (the config module) to fixtures. If a program (like wmem_test or tshark) is unavailable, it will be skipped now rather than failing the test. The general conversion pattern is: - Decorate each class with `@fixtures.uses_fixtures` and (for tests that run tshark) `@fixtures.mark_usefixtures('test_env')`. - Convert all `config.cmd_*` to `cmd_*` and add an argument. - Convert all `config.*_dir` to `dirs.*_dir` and add an argument. - Convert users of `os.path.join(dirs.capture_file, ...)` to use a new 'capture_file' fixture to reduce boilerplate code. Inline variables if possible (this conversion was done in an automated way using regexes). Some other changes: tests that do not require a test environment (like wmem_test) will use 'base_env' which avoids copying config files, `env=config.test_env` got removed since this is the default. Some test classes in suite_clopts were combined. Removed unused imports. Change-Id: Id5480ffaee7d8d56cf2cb3189a38ae9afa7605a1 Reviewed-on: https://code.wireshark.org/review/30591 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-13 01:17:33 +00:00
def test_http2_data_reassembly(self, cmd_tshark, features, dirs, capture_file):
Start porting our test scripts to Python. Add ctest support. Create Python versions of our various test shell scripts. Add CMake tests for each suite. Tests can now be run directly via test.py, via the "test" target, or via ctest, e.g. ctest --verbose --jobs 3 Add a testing chapter to the Developer's Guide. Add a way to disable ctest in dpkg-buildpackage. Suites completed: - capture - clopts - decryption - dissection Remaining suites: - fileformats - io - mergecap - nameres - text2pcap - unittests - wslua Change-Id: I8936e05edefc76a86b6a7a5da302e7461bbdda0f Reviewed-on: https://code.wireshark.org/review/27134 Petri-Dish: Gerald Combs <gerald@wireshark.org> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Gerald Combs <gerald@wireshark.org>
2018-04-03 00:12:23 +00:00
'''HTTP2 data reassembly'''
test: make it possible to use pytest-style test fixtures Currently all binaries must be available or no tests will be executed. This is inconvenient if you just want to test a single binary (e.g. text2pcap) without having to build epan. The problem is essentially that tests lack dependency annotations. To solve this problem, add the required dependencies as parameters to each test (so-called 'fixtures' in pytest). Skip a test if a binary (such as tshark) is unavailable. As a demonstration, suite_dissection.py is converted. Over time, tests should no longer depend on config.py due to explicit dependencies fixtures (listed in fixtures_ws.py). Since the unittest module does not support such dependency injections, create a small glue for use with pytest and an (incomplete) emulation layer for use with test.py. Tested with pytest 3.8.2 + Python 3.7.0 and pytest 3.0.3 + Python 3.4.3. Python 2.7 is not supported and will fail. Test commands: ~/wireshark/test/test.py -p ~/build/run WS_BIN_PATH=~/build/run pytest ~/wireshark/test -ra Change-Id: I6dc8c28f5c8b7bbc8f4c04838e9bf085cd22eb0b Ping-Bug: 14949 Reviewed-on: https://code.wireshark.org/review/30220 Tested-by: Petri Dish Buildbot Petri-Dish: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-10-15 14:07:30 +00:00
if not features.have_nghttp2:
Start porting our test scripts to Python. Add ctest support. Create Python versions of our various test shell scripts. Add CMake tests for each suite. Tests can now be run directly via test.py, via the "test" target, or via ctest, e.g. ctest --verbose --jobs 3 Add a testing chapter to the Developer's Guide. Add a way to disable ctest in dpkg-buildpackage. Suites completed: - capture - clopts - decryption - dissection Remaining suites: - fileformats - io - mergecap - nameres - text2pcap - unittests - wslua Change-Id: I8936e05edefc76a86b6a7a5da302e7461bbdda0f Reviewed-on: https://code.wireshark.org/review/27134 Petri-Dish: Gerald Combs <gerald@wireshark.org> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Gerald Combs <gerald@wireshark.org>
2018-04-03 00:12:23 +00:00
self.skipTest('Requires nghttp2.')
test: make it possible to use pytest-style test fixtures Currently all binaries must be available or no tests will be executed. This is inconvenient if you just want to test a single binary (e.g. text2pcap) without having to build epan. The problem is essentially that tests lack dependency annotations. To solve this problem, add the required dependencies as parameters to each test (so-called 'fixtures' in pytest). Skip a test if a binary (such as tshark) is unavailable. As a demonstration, suite_dissection.py is converted. Over time, tests should no longer depend on config.py due to explicit dependencies fixtures (listed in fixtures_ws.py). Since the unittest module does not support such dependency injections, create a small glue for use with pytest and an (incomplete) emulation layer for use with test.py. Tested with pytest 3.8.2 + Python 3.7.0 and pytest 3.0.3 + Python 3.4.3. Python 2.7 is not supported and will fail. Test commands: ~/wireshark/test/test.py -p ~/build/run WS_BIN_PATH=~/build/run pytest ~/wireshark/test -ra Change-Id: I6dc8c28f5c8b7bbc8f4c04838e9bf085cd22eb0b Ping-Bug: 14949 Reviewed-on: https://code.wireshark.org/review/30220 Tested-by: Petri Dish Buildbot Petri-Dish: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-10-15 14:07:30 +00:00
key_file = os.path.join(dirs.key_dir, 'http2-data-reassembly.keys')
test: use assertRun instead of runProcess where possible The case_decrypt_tls.test_tls_rsa_pq test is unexpectedly passing when GnuTLS is disabled. It checks for '/' in the output, but that also matches an error message. Use assertRun here and pretty much everywhere else to catch such issues. Remove a few redundant returncode checks. Change-Id: I0f9d1dadc0ca73eef9cffb3e2f452aa7c8395c95 Reviewed-on: https://code.wireshark.org/review/30838 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-30 00:31:32 +00:00
self.assertRun((cmd_tshark,
test: convert some more tests to use fixtures Continue the conversion from use of globals (the config module) to fixtures. If a program (like wmem_test or tshark) is unavailable, it will be skipped now rather than failing the test. The general conversion pattern is: - Decorate each class with `@fixtures.uses_fixtures` and (for tests that run tshark) `@fixtures.mark_usefixtures('test_env')`. - Convert all `config.cmd_*` to `cmd_*` and add an argument. - Convert all `config.*_dir` to `dirs.*_dir` and add an argument. - Convert users of `os.path.join(dirs.capture_file, ...)` to use a new 'capture_file' fixture to reduce boilerplate code. Inline variables if possible (this conversion was done in an automated way using regexes). Some other changes: tests that do not require a test environment (like wmem_test) will use 'base_env' which avoids copying config files, `env=config.test_env` got removed since this is the default. Some test classes in suite_clopts were combined. Removed unused imports. Change-Id: Id5480ffaee7d8d56cf2cb3189a38ae9afa7605a1 Reviewed-on: https://code.wireshark.org/review/30591 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-13 01:17:33 +00:00
'-r', capture_file('http2-data-reassembly.pcap'),
Start renaming SSL to TLS. Rename the "ssl" protocol to "tls" and add an "ssl" alias. Prefer "TLS" over "SSL" in user interface text and in the documentation. Fix the test_tls_master_secret test while we're here. Bug: 14922 Change-Id: Iab6ba2c7c4c0f8f6dd0f6d5d90fac5e9486612f8 Reviewed-on: https://code.wireshark.org/review/29649 Petri-Dish: Gerald Combs <gerald@wireshark.org> Reviewed-by: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Gerald Combs <gerald@wireshark.org>
2018-09-13 15:40:27 +00:00
'-o', 'tls.keylog_file: {}'.format(key_file),
'-d', 'tcp.port==8443,tls',
Start porting our test scripts to Python. Add ctest support. Create Python versions of our various test shell scripts. Add CMake tests for each suite. Tests can now be run directly via test.py, via the "test" target, or via ctest, e.g. ctest --verbose --jobs 3 Add a testing chapter to the Developer's Guide. Add a way to disable ctest in dpkg-buildpackage. Suites completed: - capture - clopts - decryption - dissection Remaining suites: - fileformats - io - mergecap - nameres - text2pcap - unittests - wslua Change-Id: I8936e05edefc76a86b6a7a5da302e7461bbdda0f Reviewed-on: https://code.wireshark.org/review/27134 Petri-Dish: Gerald Combs <gerald@wireshark.org> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Gerald Combs <gerald@wireshark.org>
2018-04-03 00:12:23 +00:00
'-Y', 'http2.data.data matches "PNG" && http2.data.data matches "END"',
test: make it possible to use pytest-style test fixtures Currently all binaries must be available or no tests will be executed. This is inconvenient if you just want to test a single binary (e.g. text2pcap) without having to build epan. The problem is essentially that tests lack dependency annotations. To solve this problem, add the required dependencies as parameters to each test (so-called 'fixtures' in pytest). Skip a test if a binary (such as tshark) is unavailable. As a demonstration, suite_dissection.py is converted. Over time, tests should no longer depend on config.py due to explicit dependencies fixtures (listed in fixtures_ws.py). Since the unittest module does not support such dependency injections, create a small glue for use with pytest and an (incomplete) emulation layer for use with test.py. Tested with pytest 3.8.2 + Python 3.7.0 and pytest 3.0.3 + Python 3.4.3. Python 2.7 is not supported and will fail. Test commands: ~/wireshark/test/test.py -p ~/build/run WS_BIN_PATH=~/build/run pytest ~/wireshark/test -ra Change-Id: I6dc8c28f5c8b7bbc8f4c04838e9bf085cd22eb0b Ping-Bug: 14949 Reviewed-on: https://code.wireshark.org/review/30220 Tested-by: Petri Dish Buildbot Petri-Dish: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-10-15 14:07:30 +00:00
))
Start porting our test scripts to Python. Add ctest support. Create Python versions of our various test shell scripts. Add CMake tests for each suite. Tests can now be run directly via test.py, via the "test" target, or via ctest, e.g. ctest --verbose --jobs 3 Add a testing chapter to the Developer's Guide. Add a way to disable ctest in dpkg-buildpackage. Suites completed: - capture - clopts - decryption - dissection Remaining suites: - fileformats - io - mergecap - nameres - text2pcap - unittests - wslua Change-Id: I8936e05edefc76a86b6a7a5da302e7461bbdda0f Reviewed-on: https://code.wireshark.org/review/27134 Petri-Dish: Gerald Combs <gerald@wireshark.org> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Gerald Combs <gerald@wireshark.org>
2018-04-03 00:12:23 +00:00
self.assertTrue(self.grepOutput('DATA'))
tcp: add support for reassembling out-of-order segments Currently out-of-order segments will result in cutting a stream into two pieces while the out-of-order segment itself is ignored. For example, a stream of segments "ABDCE" is interpreted as "AB", "DE" with "C" ignored. This behavior breaks TLS decryption or prevent application layer PDUs (such as HTTP requests/responses) from being reconstructed. To fix this, buffer segments when a gap is detected. The proposed approach extends the "multi-segment PDU" (MSP) mechanism which is normally used for linking multiple, sequential TCP segments into a single PDU. When a gap is detected between segments, it is assumed that the segments within this gap are out-of-order and will be received (or retransmitted) later. The current implementation has a limitation though, if multiple gaps exist, then the subdissector will only be called when all gaps are filled (the subdissector will receive segments later than necessary). For example with "ACEBD", "ABC" can already be processed after "B" is received (with "E" still buffered), but due to how MSP are extended, it must receive "D" too before it reassembles "ABCDE". In practice this could mean that the request/response times between HTTP requests and responses are slightly off, but at least the stream is correct now. (These limitations are documented in the User's Guide.) As the feature fails at least the 802.11 decryption test where packets are missing (instead of OoO), hide this feature behind a preference. Tested with captures containing out-of-order TCP segments from the linked bug reports, comparing the effect of toggling the preference on the summary output of tshark, the verbose output (-V) and the two-pass output (-2 or -2V). Captures marked with "ok" just needed "simple" out-of-order handling. Captures marked with "ok2" additionally required the reassembly API change to set the correct reassembled length. This change does "regress" on bug 10289 though when the preference is enabled as retransmitted single-segment PDUs are now passed to subdissectors. I added a TODO comment for this unrelated cosmetic issue. Bug: 3389 # capture 2907 (HTTP) ok Bug: 4727 # capture 4590 (HTTP) ok Bug: 9461 # capture 12130 (TLS/HTTP/RPC-over-HTTP +key 12131) ok Bug: 12006 # capture 14236 (HTTP) ok2; capture 15261 (HTTP) ok Bug: 13517 # capture 15370 (HTTP) ok; capture 16059 (MQ) ok Bug: 13754 # capture 15593 (MySQL) ok2 Bug: 14649 # capture 16305 (WebSocket) ok Change-Id: If3938c5c1c96db8f7f50e39ea779f623ce657d56 Reviewed-on: https://code.wireshark.org/review/27943 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-06-01 13:11:47 +00:00
Add brotli decompression support for HTTP and HTTP2 dissectors. Change-Id: I9c09f55673187f6fee723fcd72798fb6b9958b03 Reviewed-on: https://code.wireshark.org/review/32745 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-04-10 10:52:52 +00:00
def test_http2_brotli_decompression(self, cmd_tshark, features, dirs, capture_file):
'''HTTP2 brotli decompression'''
if not features.have_nghttp2:
self.skipTest('Requires nghttp2.')
if not features.have_brotli:
self.skipTest('Requires brotli.')
self.assertRun((cmd_tshark,
'-r', capture_file('http2-brotli.pcapng'),
'-Y', 'http2.data.data matches "This is a test file for testing brotli decompression in Wireshark"',
))
self.assertTrue(self.grepOutput('DATA'))
Qt, http2: Add Follow HTTP/2 Stream functionality The HTTP/2 protocol multiplexes a single TCP connection into multiple independent streams. The Follow TCP output can interleave multiple HTTP/2 streams, making it harder to analyze a single HTTP/2 stream. Add the ability to select HTTP/2 Streams within a TCP stream. Internally, the HTTP/2 dissector now stores the known Stream IDs in a set for every TCP session which allows an amortized O(n) lookup time for the previous/next/max Stream ID. [Peter: make the dissector responsible for clamping the HTTP/2 Stream ID instead of the Qt code, that should permit future optimizations.] Change-Id: I5d78f29904ae8f227ae36e1a883155c0ed719200 Reviewed-on: https://code.wireshark.org/review/32221 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexander Gryanko <xpahos@gmail.com> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
2019-02-27 04:55:52 +00:00
def test_http2_follow_0(self, cmd_tshark, features, dirs, capture_file):
'''Follow HTTP/2 Stream ID 0 test'''
if not features.have_nghttp2:
self.skipTest('Requires nghttp2.')
key_file = os.path.join(dirs.key_dir, 'http2-data-reassembly.keys')
self.assertRun((cmd_tshark,
'-r', capture_file('http2-data-reassembly.pcap'),
'-o', 'tls.keylog_file: {}'.format(key_file),
'-z', 'follow,http2,hex,0,0'
))
HTTP2: Send headers to the follow tap after decompression Field blocks (carried in HEADERS, PUSH_PROMISE, and CONTINUATION frames) are compressed by HPACK. Send them to the follow tap only after decompression. Update the tests to match the new output. Ping #18239 (There's still the case of gzip and brotli compressed DATA frames to handle).
2022-08-03 11:29:29 +00:00
# Stream ID 0 bytes
Qt, http2: Add Follow HTTP/2 Stream functionality The HTTP/2 protocol multiplexes a single TCP connection into multiple independent streams. The Follow TCP output can interleave multiple HTTP/2 streams, making it harder to analyze a single HTTP/2 stream. Add the ability to select HTTP/2 Streams within a TCP stream. Internally, the HTTP/2 dissector now stores the known Stream IDs in a set for every TCP session which allows an amortized O(n) lookup time for the previous/next/max Stream ID. [Peter: make the dissector responsible for clamping the HTTP/2 Stream ID instead of the Qt code, that should permit future optimizations.] Change-Id: I5d78f29904ae8f227ae36e1a883155c0ed719200 Reviewed-on: https://code.wireshark.org/review/32221 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexander Gryanko <xpahos@gmail.com> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
2019-02-27 04:55:52 +00:00
self.assertTrue(self.grepOutput('00000000 00 00 12 04 00 00 00 00'))
HTTP2: Send headers to the follow tap after decompression Field blocks (carried in HEADERS, PUSH_PROMISE, and CONTINUATION frames) are compressed by HPACK. Send them to the follow tap only after decompression. Update the tests to match the new output. Ping #18239 (There's still the case of gzip and brotli compressed DATA frames to handle).
2022-08-03 11:29:29 +00:00
# Stream ID 1 bytes, decrypted but compressed by HPACK
Qt, http2: Add Follow HTTP/2 Stream functionality The HTTP/2 protocol multiplexes a single TCP connection into multiple independent streams. The Follow TCP output can interleave multiple HTTP/2 streams, making it harder to analyze a single HTTP/2 stream. Add the ability to select HTTP/2 Streams within a TCP stream. Internally, the HTTP/2 dissector now stores the known Stream IDs in a set for every TCP session which allows an amortized O(n) lookup time for the previous/next/max Stream ID. [Peter: make the dissector responsible for clamping the HTTP/2 Stream ID instead of the Qt code, that should permit future optimizations.] Change-Id: I5d78f29904ae8f227ae36e1a883155c0ed719200 Reviewed-on: https://code.wireshark.org/review/32221 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexander Gryanko <xpahos@gmail.com> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
2019-02-27 04:55:52 +00:00
self.assertFalse(self.grepOutput('00000000 00 00 2c 01 05 00 00 00'))
HTTP2: Send headers to the follow tap after decompression Field blocks (carried in HEADERS, PUSH_PROMISE, and CONTINUATION frames) are compressed by HPACK. Send them to the follow tap only after decompression. Update the tests to match the new output. Ping #18239 (There's still the case of gzip and brotli compressed DATA frames to handle).
2022-08-03 11:29:29 +00:00
# Stream ID 1 bytes, decrypted and uncompressed
self.assertFalse(self.grepOutput('00000000 00 00 00 07 3a 6d 65 74'))
Qt, http2: Add Follow HTTP/2 Stream functionality The HTTP/2 protocol multiplexes a single TCP connection into multiple independent streams. The Follow TCP output can interleave multiple HTTP/2 streams, making it harder to analyze a single HTTP/2 stream. Add the ability to select HTTP/2 Streams within a TCP stream. Internally, the HTTP/2 dissector now stores the known Stream IDs in a set for every TCP session which allows an amortized O(n) lookup time for the previous/next/max Stream ID. [Peter: make the dissector responsible for clamping the HTTP/2 Stream ID instead of the Qt code, that should permit future optimizations.] Change-Id: I5d78f29904ae8f227ae36e1a883155c0ed719200 Reviewed-on: https://code.wireshark.org/review/32221 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexander Gryanko <xpahos@gmail.com> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
2019-02-27 04:55:52 +00:00
def test_http2_follow_1(self, cmd_tshark, features, dirs, capture_file):
'''Follow HTTP/2 Stream ID 1 test'''
if not features.have_nghttp2:
self.skipTest('Requires nghttp2.')
key_file = os.path.join(dirs.key_dir, 'http2-data-reassembly.keys')
self.assertRun((cmd_tshark,
'-r', capture_file('http2-data-reassembly.pcap'),
'-o', 'tls.keylog_file: {}'.format(key_file),
'-z', 'follow,http2,hex,0,1'
))
HTTP2: Send headers to the follow tap after decompression Field blocks (carried in HEADERS, PUSH_PROMISE, and CONTINUATION frames) are compressed by HPACK. Send them to the follow tap only after decompression. Update the tests to match the new output. Ping #18239 (There's still the case of gzip and brotli compressed DATA frames to handle).
2022-08-03 11:29:29 +00:00
# Stream ID 0 bytes
Qt, http2: Add Follow HTTP/2 Stream functionality The HTTP/2 protocol multiplexes a single TCP connection into multiple independent streams. The Follow TCP output can interleave multiple HTTP/2 streams, making it harder to analyze a single HTTP/2 stream. Add the ability to select HTTP/2 Streams within a TCP stream. Internally, the HTTP/2 dissector now stores the known Stream IDs in a set for every TCP session which allows an amortized O(n) lookup time for the previous/next/max Stream ID. [Peter: make the dissector responsible for clamping the HTTP/2 Stream ID instead of the Qt code, that should permit future optimizations.] Change-Id: I5d78f29904ae8f227ae36e1a883155c0ed719200 Reviewed-on: https://code.wireshark.org/review/32221 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexander Gryanko <xpahos@gmail.com> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
2019-02-27 04:55:52 +00:00
self.assertFalse(self.grepOutput('00000000 00 00 12 04 00 00 00 00'))
HTTP2: Send headers to the follow tap after decompression Field blocks (carried in HEADERS, PUSH_PROMISE, and CONTINUATION frames) are compressed by HPACK. Send them to the follow tap only after decompression. Update the tests to match the new output. Ping #18239 (There's still the case of gzip and brotli compressed DATA frames to handle).
2022-08-03 11:29:29 +00:00
# Stream ID 1 bytes, decrypted but compressed by HPACK
self.assertFalse(self.grepOutput('00000000 00 00 2c 01 05 00 00 00'))
# Stream ID 1 bytes, decrypted and uncompressed
self.assertTrue(self.grepOutput('00000000 00 00 00 07 3a 6d 65 74'))
Qt, http2: Add Follow HTTP/2 Stream functionality The HTTP/2 protocol multiplexes a single TCP connection into multiple independent streams. The Follow TCP output can interleave multiple HTTP/2 streams, making it harder to analyze a single HTTP/2 stream. Add the ability to select HTTP/2 Streams within a TCP stream. Internally, the HTTP/2 dissector now stores the known Stream IDs in a set for every TCP session which allows an amortized O(n) lookup time for the previous/next/max Stream ID. [Peter: make the dissector responsible for clamping the HTTP/2 Stream ID instead of the Qt code, that should permit future optimizations.] Change-Id: I5d78f29904ae8f227ae36e1a883155c0ed719200 Reviewed-on: https://code.wireshark.org/review/32221 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexander Gryanko <xpahos@gmail.com> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
2019-02-27 04:55:52 +00:00
Protobuf/gRPC: add test cases for Protobuf and gRPC Add case_dissect_protobuf and case_dissect_grpc in test/suite_dissection.py. Add *.proto into the sub directories of test/protobuf_lang_files/. Run command like 'pytest --program-path .\run\Debug\ -k "grpc or protobuf"' in build directory (in windows) to test these cases only.
2020-11-22 13:55:47 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
class case_dissect_protobuf(subprocesstest.SubprocessTestCase):
def test_protobuf_udp_message_mapping(self, cmd_tshark, features, dirs, capture_file):
'''Test Protobuf UDP Message Mapping and parsing google.protobuf.Timestamp features'''
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('protobuf_udp_addressbook_with_image_ts.pcapng'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'uat:protobuf_udp_message_types: "8127","tutorial.AddressBook"',
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-Y', 'pbf.tutorial.Person.name == "Jason"'
' && pbf.tutorial.Person.last_updated > "2020-10-15"'
' && pbf.tutorial.Person.last_updated < "2020-10-19"',
))
self.assertTrue(self.grepOutput('tutorial.AddressBook'))
def test_protobuf_message_type_leading_with_dot(self, cmd_tshark, features, dirs, capture_file):
'''Test Protobuf Message type is leading with dot'''
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('protobuf_test_leading_dot.pcapng'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'uat:protobuf_udp_message_types: "8123","a.b.msg"',
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-Y', 'pbf.a.b.a.b.c.param3 contains "in a.b.a.b.c" && pbf.a.b.c.param6 contains "in a.b.c"',
))
self.assertTrue(self.grepOutput('PB[(]a.b.msg[)]'))
def test_protobuf_map_and_oneof_types(self, cmd_tshark, features, dirs, capture_file):
'''Test Protobuf map and oneof types, and taking keyword as identification'''
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('protobuf_test_map_and_oneof_types.pcapng'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'uat:protobuf_udp_message_types: "8124","test.map.MapMaster"',
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-Y', 'pbf.test.map.MapMaster.param3 == "I\'m param3 for oneof test."' # test oneof type
' && pbf.test.map.MapMaster.param4MapEntry.value == 1234' # test map type
' && pbf.test.map.Foo.param1 == 88 && pbf.test.map.MapMaster.param5MapEntry.key == 88'
))
self.assertTrue(self.grepOutput('PB[(]test.map.MapMaster[)]'))
def test_protobuf_default_value(self, cmd_tshark, features, dirs, capture_file):
'''Test Protobuf feature adding missing fields with default values'''
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('protobuf_test_default_value.pcapng'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'uat:protobuf_udp_message_types: "8128","wireshark.protobuf.test.TestDefaultValueMessage"',
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-o', 'protobuf.add_default_value: all',
'-O', 'protobuf',
'-Y', 'pbf.wireshark.protobuf.test.TestDefaultValueMessage.enumFooWithDefaultValue_Fouth == -4'
' && pbf.wireshark.protobuf.test.TestDefaultValueMessage.boolWithDefaultValue_False == false'
' && pbf.wireshark.protobuf.test.TestDefaultValueMessage.int32WithDefaultValue_0 == 0'
' && pbf.wireshark.protobuf.test.TestDefaultValueMessage.doubleWithDefaultValue_Negative0point12345678 == -0.12345678'
' && pbf.wireshark.protobuf.test.TestDefaultValueMessage.stringWithDefaultValue_SymbolPi contains "Pi."'
' && pbf.wireshark.protobuf.test.TestDefaultValueMessage.bytesWithDefaultValue_1F2F890D0A00004B == 1f:2f:89:0d:0a:00:00:4b'
' && pbf.wireshark.protobuf.test.TestDefaultValueMessage.optional' # test taking keyword 'optional' as identification
' && pbf.wireshark.protobuf.test.TestDefaultValueMessage.message' # test taking keyword 'message' as identification
))
self.assertTrue(self.grepOutput('floatWithDefaultValue_0point23: 0.23')) # another default value will be displayed
self.assertTrue(self.grepOutput('missing required field \'missingRequiredField\'')) # check the missing required field export warn
def test_protobuf_field_subdissector(self, cmd_tshark, features, dirs, capture_file):
'''Test "protobuf_field" subdissector table'''
Skip two protobuf dissector tests when LUA is not available Both tests are using LUA scripts and both fails when it is not avialble.
2021-06-25 11:56:59 +00:00
if not features.have_lua:
self.skipTest('Test requires Lua scripting support.')
Protobuf/gRPC: add test cases for Protobuf and gRPC Add case_dissect_protobuf and case_dissect_grpc in test/suite_dissection.py. Add *.proto into the sub directories of test/protobuf_lang_files/. Run command like 'pytest --program-path .\run\Debug\ -k "grpc or protobuf"' in build directory (in windows) to test these cases only.
2020-11-22 13:55:47 +00:00
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
lua_file = os.path.join(dirs.lua_dir, 'protobuf_test_field_subdissector_table.lua')
self.assertRun((cmd_tshark,
'-r', capture_file('protobuf_udp_addressbook_with_image_ts.pcapng'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'uat:protobuf_udp_message_types: "8127","tutorial.AddressBook"',
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-X', 'lua_script:{}'.format(lua_file),
'-Y', 'pbf.tutorial.Person.name == "Jason" && pbf.tutorial.Person.last_updated && png',
))
self.assertTrue(self.grepOutput('PB[(]tutorial.AddressBook[)]'))
def test_protobuf_called_by_custom_dissector(self, cmd_tshark, features, dirs, capture_file):
'''Test Protobuf invoked by other dissector (passing type by pinfo.private)'''
Skip two protobuf dissector tests when LUA is not available Both tests are using LUA scripts and both fails when it is not avialble.
2021-06-25 11:56:59 +00:00
if not features.have_lua:
self.skipTest('Test requires Lua scripting support.')
Protobuf/gRPC: add test cases for Protobuf and gRPC Add case_dissect_protobuf and case_dissect_grpc in test/suite_dissection.py. Add *.proto into the sub directories of test/protobuf_lang_files/. Run command like 'pytest --program-path .\run\Debug\ -k "grpc or protobuf"' in build directory (in windows) to test these cases only.
2020-11-22 13:55:47 +00:00
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
user_defined_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'user_defined_types').replace('\\', '/')
lua_file = os.path.join(dirs.lua_dir, 'protobuf_test_called_by_custom_dissector.lua')
self.assertRun((cmd_tshark,
'-r', capture_file('protobuf_tcp_addressbook.pcapng.gz'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(user_defined_types_dir, 'TRUE'),
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-X', 'lua_script:{}'.format(lua_file),
'-d', 'tcp.port==18127,addrbook',
'-Y', 'pbf.tutorial.Person.name == "Jason" && pbf.tutorial.Person.last_updated',
))
self.assertTrue(self.grepOutput('tutorial.AddressBook'))
Qt, http2: Add Follow HTTP/2 Stream functionality The HTTP/2 protocol multiplexes a single TCP connection into multiple independent streams. The Follow TCP output can interleave multiple HTTP/2 streams, making it harder to analyze a single HTTP/2 stream. Add the ability to select HTTP/2 Streams within a TCP stream. Internally, the HTTP/2 dissector now stores the known Stream IDs in a set for every TCP session which allows an amortized O(n) lookup time for the previous/next/max Stream ID. [Peter: make the dissector responsible for clamping the HTTP/2 Stream ID instead of the Qt code, that should permit future optimizations.] Change-Id: I5d78f29904ae8f227ae36e1a883155c0ed719200 Reviewed-on: https://code.wireshark.org/review/32221 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexander Gryanko <xpahos@gmail.com> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
2019-02-27 04:55:52 +00:00
Protobuf: fix bugs that parsing complex syntax .proto files Some .proto files contain complex syntax that does not be described in protobuf official site (https://developers.google.com/protocol-buffers/docs/reference/proto3-spec). 1. Update 'epan/protobuf_lang_parser.lemon' to: 1) Support complex option names format (EBNF): optionName = ( ident | "(" fullIdent ")" ) { "." ( ident | "(" fullIdent ")" ) } for example, "option (complex_opt2).(grault) = 654;". 2) Make enum body support 'reserved' section (EBNF): enumBody = "{" { reserved | option | enumField | emptyStatement } "}" 3) Allow the value of field or enumValue option to be "{ ... }" other than constant: enumValueOption = optionName "=" ( constant | customOptionValue ) ";" fieldOption = optionName "=" ( constant | customOptionValue ) ";" 4) Allow 'group' section missing 'label' (for example, in 'oneof' section). 5) Make 'oneof' section support 'option' and 'group' sections (BNF): oneof = "oneof" oneofName "{" { oneofField | option | group | emptyStatement } "}" 6) Ignore unused 'extend' section. 7) Fix the bug of one string being splitted into multi-lines. 2. Update 'epan/protobuf_lang_tree.c' to: 8) Fix the bug of parsing repeated option. 3. Update 'test/suite_dissection.py' to add test case for parsing complex syntax .proto files: test/protobuf_lang_files/complex_proto_files/unittest_custom_options.proto test/protobuf_lang_files/complex_proto_files/complex_syntax.proto and dependency files: test/protobuf_lang_files/well_know_types/google/protobuf/any.proto test/protobuf_lang_files/well_know_types/google/protobuf/descriptor.proto Refer to issue #17046
2020-12-27 05:57:17 +00:00
def test_protobuf_complex_syntax(self, cmd_tshark, features, dirs, capture_file):
'''Test Protobuf parsing complex syntax .proto files'''
well_know_types_dir = os.path.join(dirs.protobuf_lang_files_dir, 'well_know_types').replace('\\', '/')
complex_proto_files_dir = os.path.join(dirs.protobuf_lang_files_dir, 'complex_proto_files').replace('\\', '/')
self.assertRun((cmd_tshark,
'-r', capture_file('protobuf_udp_addressbook_with_image_ts.pcapng'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(well_know_types_dir, 'FALSE'),
'-o', 'uat:protobuf_search_paths: "{}","{}"'.format(complex_proto_files_dir, 'TRUE'),
'-o', 'protobuf.preload_protos: TRUE',
'-o', 'protobuf.pbf_as_hf: TRUE',
'-Y', 'pbf.wireshark.protobuf.test.complex.syntax.TestFileParsed.last_field_for_wireshark_test'
' && pbf.protobuf_unittest.TestFileParsed.last_field_for_wireshark_test',
))
# the output must be empty and not contain something like:
# tshark: "pbf.xxx.TestFileParsed.last_field_for_wireshark_test" is neither a field nor a protocol name.
# or
# tshark: Protobuf: Error(s)
self.assertFalse(self.grepOutput('.last_field_for_wireshark_test'))
self.assertFalse(self.grepOutput('Protobuf: Error'))
test: make it possible to use pytest-style test fixtures Currently all binaries must be available or no tests will be executed. This is inconvenient if you just want to test a single binary (e.g. text2pcap) without having to build epan. The problem is essentially that tests lack dependency annotations. To solve this problem, add the required dependencies as parameters to each test (so-called 'fixtures' in pytest). Skip a test if a binary (such as tshark) is unavailable. As a demonstration, suite_dissection.py is converted. Over time, tests should no longer depend on config.py due to explicit dependencies fixtures (listed in fixtures_ws.py). Since the unittest module does not support such dependency injections, create a small glue for use with pytest and an (incomplete) emulation layer for use with test.py. Tested with pytest 3.8.2 + Python 3.7.0 and pytest 3.0.3 + Python 3.4.3. Python 2.7 is not supported and will fail. Test commands: ~/wireshark/test/test.py -p ~/build/run WS_BIN_PATH=~/build/run pytest ~/wireshark/test -ra Change-Id: I6dc8c28f5c8b7bbc8f4c04838e9bf085cd22eb0b Ping-Bug: 14949 Reviewed-on: https://code.wireshark.org/review/30220 Tested-by: Petri Dish Buildbot Petri-Dish: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-10-15 14:07:30 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
tcp: add support for reassembling out-of-order segments Currently out-of-order segments will result in cutting a stream into two pieces while the out-of-order segment itself is ignored. For example, a stream of segments "ABDCE" is interpreted as "AB", "DE" with "C" ignored. This behavior breaks TLS decryption or prevent application layer PDUs (such as HTTP requests/responses) from being reconstructed. To fix this, buffer segments when a gap is detected. The proposed approach extends the "multi-segment PDU" (MSP) mechanism which is normally used for linking multiple, sequential TCP segments into a single PDU. When a gap is detected between segments, it is assumed that the segments within this gap are out-of-order and will be received (or retransmitted) later. The current implementation has a limitation though, if multiple gaps exist, then the subdissector will only be called when all gaps are filled (the subdissector will receive segments later than necessary). For example with "ACEBD", "ABC" can already be processed after "B" is received (with "E" still buffered), but due to how MSP are extended, it must receive "D" too before it reassembles "ABCDE". In practice this could mean that the request/response times between HTTP requests and responses are slightly off, but at least the stream is correct now. (These limitations are documented in the User's Guide.) As the feature fails at least the 802.11 decryption test where packets are missing (instead of OoO), hide this feature behind a preference. Tested with captures containing out-of-order TCP segments from the linked bug reports, comparing the effect of toggling the preference on the summary output of tshark, the verbose output (-V) and the two-pass output (-2 or -2V). Captures marked with "ok" just needed "simple" out-of-order handling. Captures marked with "ok2" additionally required the reassembly API change to set the correct reassembled length. This change does "regress" on bug 10289 though when the preference is enabled as retransmitted single-segment PDUs are now passed to subdissectors. I added a TODO comment for this unrelated cosmetic issue. Bug: 3389 # capture 2907 (HTTP) ok Bug: 4727 # capture 4590 (HTTP) ok Bug: 9461 # capture 12130 (TLS/HTTP/RPC-over-HTTP +key 12131) ok Bug: 12006 # capture 14236 (HTTP) ok2; capture 15261 (HTTP) ok Bug: 13517 # capture 15370 (HTTP) ok; capture 16059 (MQ) ok Bug: 13754 # capture 15593 (MySQL) ok2 Bug: 14649 # capture 16305 (WebSocket) ok Change-Id: If3938c5c1c96db8f7f50e39ea779f623ce657d56 Reviewed-on: https://code.wireshark.org/review/27943 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-06-01 13:11:47 +00:00
class case_dissect_tcp(subprocesstest.SubprocessTestCase):
test: make it possible to use pytest-style test fixtures Currently all binaries must be available or no tests will be executed. This is inconvenient if you just want to test a single binary (e.g. text2pcap) without having to build epan. The problem is essentially that tests lack dependency annotations. To solve this problem, add the required dependencies as parameters to each test (so-called 'fixtures' in pytest). Skip a test if a binary (such as tshark) is unavailable. As a demonstration, suite_dissection.py is converted. Over time, tests should no longer depend on config.py due to explicit dependencies fixtures (listed in fixtures_ws.py). Since the unittest module does not support such dependency injections, create a small glue for use with pytest and an (incomplete) emulation layer for use with test.py. Tested with pytest 3.8.2 + Python 3.7.0 and pytest 3.0.3 + Python 3.4.3. Python 2.7 is not supported and will fail. Test commands: ~/wireshark/test/test.py -p ~/build/run WS_BIN_PATH=~/build/run pytest ~/wireshark/test -ra Change-Id: I6dc8c28f5c8b7bbc8f4c04838e9bf085cd22eb0b Ping-Bug: 14949 Reviewed-on: https://code.wireshark.org/review/30220 Tested-by: Petri Dish Buildbot Petri-Dish: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-10-15 14:07:30 +00:00
def check_tcp_out_of_order(self, cmd_tshark, dirs, extraArgs=[]):
capture_file = os.path.join(dirs.capture_dir, 'http-ooo.pcap')
test: use assertRun instead of runProcess where possible The case_decrypt_tls.test_tls_rsa_pq test is unexpectedly passing when GnuTLS is disabled. It checks for '/' in the output, but that also matches an error message. Use assertRun here and pretty much everywhere else to catch such issues. Remove a few redundant returncode checks. Change-Id: I0f9d1dadc0ca73eef9cffb3e2f452aa7c8395c95 Reviewed-on: https://code.wireshark.org/review/30838 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-30 00:31:32 +00:00
self.assertRun([cmd_tshark,
tcp: add support for reassembling out-of-order segments Currently out-of-order segments will result in cutting a stream into two pieces while the out-of-order segment itself is ignored. For example, a stream of segments "ABDCE" is interpreted as "AB", "DE" with "C" ignored. This behavior breaks TLS decryption or prevent application layer PDUs (such as HTTP requests/responses) from being reconstructed. To fix this, buffer segments when a gap is detected. The proposed approach extends the "multi-segment PDU" (MSP) mechanism which is normally used for linking multiple, sequential TCP segments into a single PDU. When a gap is detected between segments, it is assumed that the segments within this gap are out-of-order and will be received (or retransmitted) later. The current implementation has a limitation though, if multiple gaps exist, then the subdissector will only be called when all gaps are filled (the subdissector will receive segments later than necessary). For example with "ACEBD", "ABC" can already be processed after "B" is received (with "E" still buffered), but due to how MSP are extended, it must receive "D" too before it reassembles "ABCDE". In practice this could mean that the request/response times between HTTP requests and responses are slightly off, but at least the stream is correct now. (These limitations are documented in the User's Guide.) As the feature fails at least the 802.11 decryption test where packets are missing (instead of OoO), hide this feature behind a preference. Tested with captures containing out-of-order TCP segments from the linked bug reports, comparing the effect of toggling the preference on the summary output of tshark, the verbose output (-V) and the two-pass output (-2 or -2V). Captures marked with "ok" just needed "simple" out-of-order handling. Captures marked with "ok2" additionally required the reassembly API change to set the correct reassembled length. This change does "regress" on bug 10289 though when the preference is enabled as retransmitted single-segment PDUs are now passed to subdissectors. I added a TODO comment for this unrelated cosmetic issue. Bug: 3389 # capture 2907 (HTTP) ok Bug: 4727 # capture 4590 (HTTP) ok Bug: 9461 # capture 12130 (TLS/HTTP/RPC-over-HTTP +key 12131) ok Bug: 12006 # capture 14236 (HTTP) ok2; capture 15261 (HTTP) ok Bug: 13517 # capture 15370 (HTTP) ok; capture 16059 (MQ) ok Bug: 13754 # capture 15593 (MySQL) ok2 Bug: 14649 # capture 16305 (WebSocket) ok Change-Id: If3938c5c1c96db8f7f50e39ea779f623ce657d56 Reviewed-on: https://code.wireshark.org/review/27943 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-06-01 13:11:47 +00:00
'-r', capture_file,
'-otcp.reassemble_out_of_order:TRUE',
'-Y', 'http',
test: make it possible to use pytest-style test fixtures Currently all binaries must be available or no tests will be executed. This is inconvenient if you just want to test a single binary (e.g. text2pcap) without having to build epan. The problem is essentially that tests lack dependency annotations. To solve this problem, add the required dependencies as parameters to each test (so-called 'fixtures' in pytest). Skip a test if a binary (such as tshark) is unavailable. As a demonstration, suite_dissection.py is converted. Over time, tests should no longer depend on config.py due to explicit dependencies fixtures (listed in fixtures_ws.py). Since the unittest module does not support such dependency injections, create a small glue for use with pytest and an (incomplete) emulation layer for use with test.py. Tested with pytest 3.8.2 + Python 3.7.0 and pytest 3.0.3 + Python 3.4.3. Python 2.7 is not supported and will fail. Test commands: ~/wireshark/test/test.py -p ~/build/run WS_BIN_PATH=~/build/run pytest ~/wireshark/test -ra Change-Id: I6dc8c28f5c8b7bbc8f4c04838e9bf085cd22eb0b Ping-Bug: 14949 Reviewed-on: https://code.wireshark.org/review/30220 Tested-by: Petri Dish Buildbot Petri-Dish: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-10-15 14:07:30 +00:00
] + extraArgs)
tcp: add support for reassembling out-of-order segments Currently out-of-order segments will result in cutting a stream into two pieces while the out-of-order segment itself is ignored. For example, a stream of segments "ABDCE" is interpreted as "AB", "DE" with "C" ignored. This behavior breaks TLS decryption or prevent application layer PDUs (such as HTTP requests/responses) from being reconstructed. To fix this, buffer segments when a gap is detected. The proposed approach extends the "multi-segment PDU" (MSP) mechanism which is normally used for linking multiple, sequential TCP segments into a single PDU. When a gap is detected between segments, it is assumed that the segments within this gap are out-of-order and will be received (or retransmitted) later. The current implementation has a limitation though, if multiple gaps exist, then the subdissector will only be called when all gaps are filled (the subdissector will receive segments later than necessary). For example with "ACEBD", "ABC" can already be processed after "B" is received (with "E" still buffered), but due to how MSP are extended, it must receive "D" too before it reassembles "ABCDE". In practice this could mean that the request/response times between HTTP requests and responses are slightly off, but at least the stream is correct now. (These limitations are documented in the User's Guide.) As the feature fails at least the 802.11 decryption test where packets are missing (instead of OoO), hide this feature behind a preference. Tested with captures containing out-of-order TCP segments from the linked bug reports, comparing the effect of toggling the preference on the summary output of tshark, the verbose output (-V) and the two-pass output (-2 or -2V). Captures marked with "ok" just needed "simple" out-of-order handling. Captures marked with "ok2" additionally required the reassembly API change to set the correct reassembled length. This change does "regress" on bug 10289 though when the preference is enabled as retransmitted single-segment PDUs are now passed to subdissectors. I added a TODO comment for this unrelated cosmetic issue. Bug: 3389 # capture 2907 (HTTP) ok Bug: 4727 # capture 4590 (HTTP) ok Bug: 9461 # capture 12130 (TLS/HTTP/RPC-over-HTTP +key 12131) ok Bug: 12006 # capture 14236 (HTTP) ok2; capture 15261 (HTTP) ok Bug: 13517 # capture 15370 (HTTP) ok; capture 16059 (MQ) ok Bug: 13754 # capture 15593 (MySQL) ok2 Bug: 14649 # capture 16305 (WebSocket) ok Change-Id: If3938c5c1c96db8f7f50e39ea779f623ce657d56 Reviewed-on: https://code.wireshark.org/review/27943 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-06-01 13:11:47 +00:00
self.assertEqual(self.countOutput('HTTP'), 5)
tcp: Rework out of order dissection to dissect sooner Rework the out of order dissection to store the out of order segments and add them to reassemblies only after the gaps are filled. This allows reassembly of contiguous segments to be dissected when they can, instead of having to wait for all segment gaps to be filled. In cases where a segment has an erroneous later sequence number, this prevents reassembly from being completely halted. It is now guaranteed that when the subdissector is called that the segment from the current frame is either the first segment of the MSP or has bytes that were requested from the last call of the subdissector. This makes it easier to split MSPs in a later commit. MSPs now always have the first segment with the sequence number, so MSP_FLAGS_MISSING_FIRST_SEGMENT and first_frame_with_seq are obsolete and can be removed later. This fixes a long standing TODO in the out of order test in suite_dissection.py Dissection is more consistent between the first pass and later passes, though there is more to be done.
2022-03-22 12:10:16 +00:00
self.assertTrue(self.grepOutput(r'^\s*4\s.*PUT /1 HTTP/1.1'))
tcp: add support for reassembling out-of-order segments Currently out-of-order segments will result in cutting a stream into two pieces while the out-of-order segment itself is ignored. For example, a stream of segments "ABDCE" is interpreted as "AB", "DE" with "C" ignored. This behavior breaks TLS decryption or prevent application layer PDUs (such as HTTP requests/responses) from being reconstructed. To fix this, buffer segments when a gap is detected. The proposed approach extends the "multi-segment PDU" (MSP) mechanism which is normally used for linking multiple, sequential TCP segments into a single PDU. When a gap is detected between segments, it is assumed that the segments within this gap are out-of-order and will be received (or retransmitted) later. The current implementation has a limitation though, if multiple gaps exist, then the subdissector will only be called when all gaps are filled (the subdissector will receive segments later than necessary). For example with "ACEBD", "ABC" can already be processed after "B" is received (with "E" still buffered), but due to how MSP are extended, it must receive "D" too before it reassembles "ABCDE". In practice this could mean that the request/response times between HTTP requests and responses are slightly off, but at least the stream is correct now. (These limitations are documented in the User's Guide.) As the feature fails at least the 802.11 decryption test where packets are missing (instead of OoO), hide this feature behind a preference. Tested with captures containing out-of-order TCP segments from the linked bug reports, comparing the effect of toggling the preference on the summary output of tshark, the verbose output (-V) and the two-pass output (-2 or -2V). Captures marked with "ok" just needed "simple" out-of-order handling. Captures marked with "ok2" additionally required the reassembly API change to set the correct reassembled length. This change does "regress" on bug 10289 though when the preference is enabled as retransmitted single-segment PDUs are now passed to subdissectors. I added a TODO comment for this unrelated cosmetic issue. Bug: 3389 # capture 2907 (HTTP) ok Bug: 4727 # capture 4590 (HTTP) ok Bug: 9461 # capture 12130 (TLS/HTTP/RPC-over-HTTP +key 12131) ok Bug: 12006 # capture 14236 (HTTP) ok2; capture 15261 (HTTP) ok Bug: 13517 # capture 15370 (HTTP) ok; capture 16059 (MQ) ok Bug: 13754 # capture 15593 (MySQL) ok2 Bug: 14649 # capture 16305 (WebSocket) ok Change-Id: If3938c5c1c96db8f7f50e39ea779f623ce657d56 Reviewed-on: https://code.wireshark.org/review/27943 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-06-01 13:11:47 +00:00
self.assertTrue(self.grepOutput(r'^\s*7\s.*GET /2 HTTP/1.1'))
self.assertTrue(self.grepOutput(r'^\s*10\s.*PUT /3 HTTP/1.1'))
self.assertTrue(self.grepOutput(r'^\s*11\s.*PUT /4 HTTP/1.1'))
self.assertTrue(self.grepOutput(r'^\s*15\s.*PUT /5 HTTP/1.1'))
test: make it possible to use pytest-style test fixtures Currently all binaries must be available or no tests will be executed. This is inconvenient if you just want to test a single binary (e.g. text2pcap) without having to build epan. The problem is essentially that tests lack dependency annotations. To solve this problem, add the required dependencies as parameters to each test (so-called 'fixtures' in pytest). Skip a test if a binary (such as tshark) is unavailable. As a demonstration, suite_dissection.py is converted. Over time, tests should no longer depend on config.py due to explicit dependencies fixtures (listed in fixtures_ws.py). Since the unittest module does not support such dependency injections, create a small glue for use with pytest and an (incomplete) emulation layer for use with test.py. Tested with pytest 3.8.2 + Python 3.7.0 and pytest 3.0.3 + Python 3.4.3. Python 2.7 is not supported and will fail. Test commands: ~/wireshark/test/test.py -p ~/build/run WS_BIN_PATH=~/build/run pytest ~/wireshark/test -ra Change-Id: I6dc8c28f5c8b7bbc8f4c04838e9bf085cd22eb0b Ping-Bug: 14949 Reviewed-on: https://code.wireshark.org/review/30220 Tested-by: Petri Dish Buildbot Petri-Dish: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-10-15 14:07:30 +00:00
def test_tcp_out_of_order_onepass(self, cmd_tshark, dirs):
self.check_tcp_out_of_order(cmd_tshark, dirs)
tcp: add support for reassembling out-of-order segments Currently out-of-order segments will result in cutting a stream into two pieces while the out-of-order segment itself is ignored. For example, a stream of segments "ABDCE" is interpreted as "AB", "DE" with "C" ignored. This behavior breaks TLS decryption or prevent application layer PDUs (such as HTTP requests/responses) from being reconstructed. To fix this, buffer segments when a gap is detected. The proposed approach extends the "multi-segment PDU" (MSP) mechanism which is normally used for linking multiple, sequential TCP segments into a single PDU. When a gap is detected between segments, it is assumed that the segments within this gap are out-of-order and will be received (or retransmitted) later. The current implementation has a limitation though, if multiple gaps exist, then the subdissector will only be called when all gaps are filled (the subdissector will receive segments later than necessary). For example with "ACEBD", "ABC" can already be processed after "B" is received (with "E" still buffered), but due to how MSP are extended, it must receive "D" too before it reassembles "ABCDE". In practice this could mean that the request/response times between HTTP requests and responses are slightly off, but at least the stream is correct now. (These limitations are documented in the User's Guide.) As the feature fails at least the 802.11 decryption test where packets are missing (instead of OoO), hide this feature behind a preference. Tested with captures containing out-of-order TCP segments from the linked bug reports, comparing the effect of toggling the preference on the summary output of tshark, the verbose output (-V) and the two-pass output (-2 or -2V). Captures marked with "ok" just needed "simple" out-of-order handling. Captures marked with "ok2" additionally required the reassembly API change to set the correct reassembled length. This change does "regress" on bug 10289 though when the preference is enabled as retransmitted single-segment PDUs are now passed to subdissectors. I added a TODO comment for this unrelated cosmetic issue. Bug: 3389 # capture 2907 (HTTP) ok Bug: 4727 # capture 4590 (HTTP) ok Bug: 9461 # capture 12130 (TLS/HTTP/RPC-over-HTTP +key 12131) ok Bug: 12006 # capture 14236 (HTTP) ok2; capture 15261 (HTTP) ok Bug: 13517 # capture 15370 (HTTP) ok; capture 16059 (MQ) ok Bug: 13754 # capture 15593 (MySQL) ok2 Bug: 14649 # capture 16305 (WebSocket) ok Change-Id: If3938c5c1c96db8f7f50e39ea779f623ce657d56 Reviewed-on: https://code.wireshark.org/review/27943 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-06-01 13:11:47 +00:00
tcp: Split MSPs in out of order processing When processing segments out of order in TCP, it is possible to get new segments that fill a sequence gap and be able to dissect at least one PDU but need more data for additional PDUs (that have data from the contiguous stream bytes.) We can only determine this after passing the reassembled segments to the subdissector first. To keep dissection and layer numbers consistent between passes, split the multisegment PDU, keeping the already dissect PDU(s) in the current reassembly and creating a new MSP for the parts not yet dissected. Update the dissection test to enable the currently skipped test that require MSP splitting and remove test_tcp_out_of_order_twopass_with_bug
2022-04-08 00:30:48 +00:00
def test_tcp_out_of_order_twopass(self, cmd_tshark, dirs):
self.check_tcp_out_of_order(cmd_tshark, dirs, extraArgs=['-2'])
tcp: fix OoO reassembly when the first data packet is OoO OoO reassembly assumed that the stream starts with the first data segment, but this can already be OoO. Use the hint from SYN instead. The test capture is based on a local capture, post-processed with scapy to introduce an OoO condition and fixup the frame time. Bug: 15078 Change-Id: Id0e312bb3d0e7c7f8f1b243a2be9f15c9851c501 Fixes: v2.9.0rc0-1097-gca42331437 ("tcp: add support for reassembling out-of-order segments") Reviewed-on: https://code.wireshark.org/review/29305 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-08-27 13:31:03 +00:00
test: convert some more tests to use fixtures Continue the conversion from use of globals (the config module) to fixtures. If a program (like wmem_test or tshark) is unavailable, it will be skipped now rather than failing the test. The general conversion pattern is: - Decorate each class with `@fixtures.uses_fixtures` and (for tests that run tshark) `@fixtures.mark_usefixtures('test_env')`. - Convert all `config.cmd_*` to `cmd_*` and add an argument. - Convert all `config.*_dir` to `dirs.*_dir` and add an argument. - Convert users of `os.path.join(dirs.capture_file, ...)` to use a new 'capture_file' fixture to reduce boilerplate code. Inline variables if possible (this conversion was done in an automated way using regexes). Some other changes: tests that do not require a test environment (like wmem_test) will use 'base_env' which avoids copying config files, `env=config.test_env` got removed since this is the default. Some test classes in suite_clopts were combined. Removed unused imports. Change-Id: Id5480ffaee7d8d56cf2cb3189a38ae9afa7605a1 Reviewed-on: https://code.wireshark.org/review/30591 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-13 01:17:33 +00:00
def test_tcp_out_of_order_data_after_syn(self, cmd_tshark, capture_file):
tcp: fix OoO reassembly when the first data packet is OoO OoO reassembly assumed that the stream starts with the first data segment, but this can already be OoO. Use the hint from SYN instead. The test capture is based on a local capture, post-processed with scapy to introduce an OoO condition and fixup the frame time. Bug: 15078 Change-Id: Id0e312bb3d0e7c7f8f1b243a2be9f15c9851c501 Fixes: v2.9.0rc0-1097-gca42331437 ("tcp: add support for reassembling out-of-order segments") Reviewed-on: https://code.wireshark.org/review/29305 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-08-27 13:31:03 +00:00
'''Test when the first non-empty segment is OoO.'''
test: use assertRun instead of runProcess where possible The case_decrypt_tls.test_tls_rsa_pq test is unexpectedly passing when GnuTLS is disabled. It checks for '/' in the output, but that also matches an error message. Use assertRun here and pretty much everywhere else to catch such issues. Remove a few redundant returncode checks. Change-Id: I0f9d1dadc0ca73eef9cffb3e2f452aa7c8395c95 Reviewed-on: https://code.wireshark.org/review/30838 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-30 00:31:32 +00:00
proc = self.assertRun((cmd_tshark,
test: convert some more tests to use fixtures Continue the conversion from use of globals (the config module) to fixtures. If a program (like wmem_test or tshark) is unavailable, it will be skipped now rather than failing the test. The general conversion pattern is: - Decorate each class with `@fixtures.uses_fixtures` and (for tests that run tshark) `@fixtures.mark_usefixtures('test_env')`. - Convert all `config.cmd_*` to `cmd_*` and add an argument. - Convert all `config.*_dir` to `dirs.*_dir` and add an argument. - Convert users of `os.path.join(dirs.capture_file, ...)` to use a new 'capture_file' fixture to reduce boilerplate code. Inline variables if possible (this conversion was done in an automated way using regexes). Some other changes: tests that do not require a test environment (like wmem_test) will use 'base_env' which avoids copying config files, `env=config.test_env` got removed since this is the default. Some test classes in suite_clopts were combined. Removed unused imports. Change-Id: Id5480ffaee7d8d56cf2cb3189a38ae9afa7605a1 Reviewed-on: https://code.wireshark.org/review/30591 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-13 01:17:33 +00:00
'-r', capture_file('dns-ooo.pcap'),
tcp: fix OoO reassembly when the first data packet is OoO OoO reassembly assumed that the stream starts with the first data segment, but this can already be OoO. Use the hint from SYN instead. The test capture is based on a local capture, post-processed with scapy to introduce an OoO condition and fixup the frame time. Bug: 15078 Change-Id: Id0e312bb3d0e7c7f8f1b243a2be9f15c9851c501 Fixes: v2.9.0rc0-1097-gca42331437 ("tcp: add support for reassembling out-of-order segments") Reviewed-on: https://code.wireshark.org/review/29305 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-08-27 13:31:03 +00:00
'-otcp.reassemble_out_of_order:TRUE',
'-Y', 'dns', '-Tfields', '-edns.qry.name',
test: make it possible to use pytest-style test fixtures Currently all binaries must be available or no tests will be executed. This is inconvenient if you just want to test a single binary (e.g. text2pcap) without having to build epan. The problem is essentially that tests lack dependency annotations. To solve this problem, add the required dependencies as parameters to each test (so-called 'fixtures' in pytest). Skip a test if a binary (such as tshark) is unavailable. As a demonstration, suite_dissection.py is converted. Over time, tests should no longer depend on config.py due to explicit dependencies fixtures (listed in fixtures_ws.py). Since the unittest module does not support such dependency injections, create a small glue for use with pytest and an (incomplete) emulation layer for use with test.py. Tested with pytest 3.8.2 + Python 3.7.0 and pytest 3.0.3 + Python 3.4.3. Python 2.7 is not supported and will fail. Test commands: ~/wireshark/test/test.py -p ~/build/run WS_BIN_PATH=~/build/run pytest ~/wireshark/test -ra Change-Id: I6dc8c28f5c8b7bbc8f4c04838e9bf085cd22eb0b Ping-Bug: 14949 Reviewed-on: https://code.wireshark.org/review/30220 Tested-by: Petri Dish Buildbot Petri-Dish: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-10-15 14:07:30 +00:00
))
tcp: fix OoO reassembly when the first data packet is OoO OoO reassembly assumed that the stream starts with the first data segment, but this can already be OoO. Use the hint from SYN instead. The test capture is based on a local capture, post-processed with scapy to introduce an OoO condition and fixup the frame time. Bug: 15078 Change-Id: Id0e312bb3d0e7c7f8f1b243a2be9f15c9851c501 Fixes: v2.9.0rc0-1097-gca42331437 ("tcp: add support for reassembling out-of-order segments") Reviewed-on: https://code.wireshark.org/review/29305 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-08-27 13:31:03 +00:00
self.assertEqual(proc.stdout_str.strip(), 'example.com')
tcp: fix reporting of "Reassembled in" for OoO initial segment When the initial segment is OoO, it was recognized as retransmitted. Fix this by remembering which frame actually contains the initial segment. Bug: 15420 Change-Id: If63e2ff581775ff9d396a612839f1bfab30f111f Reviewed-on: https://code.wireshark.org/review/31720 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-01-24 15:32:28 +00:00
def test_tcp_out_of_order_first_gap(self, cmd_tshark, capture_file):
'''
Test reporting of "reassembled_in" in the OoO frame that contains the
initial segment (Bug 15420). Additionally, test for proper reporting
when the initial segment is retransmitted.
For PDU H123 (where H is the HTTP Request header and 1, 2 and 3 are part
of the body), the order is: (SYN) 2 H H 1 3 H.
'''
proc = self.assertRun((cmd_tshark,
'-r', capture_file('http-ooo2.pcap'),
'-otcp.reassemble_out_of_order:TRUE',
'-Tfields',
'-eframe.number', '-etcp.reassembled_in', '-e_ws.col.Info',
'-2',
))
Test: Normalize the line endings of subprocess output. On Windows, replace CRLF line endings in subprocess output with LFs. Stop doing so in individual tests.
2020-09-16 20:35:11 +00:00
lines = proc.stdout_str.split('\n')
tcp: fix reporting of "Reassembled in" for OoO initial segment When the initial segment is OoO, it was recognized as retransmitted. Fix this by remembering which frame actually contains the initial segment. Bug: 15420 Change-Id: If63e2ff581775ff9d396a612839f1bfab30f111f Reviewed-on: https://code.wireshark.org/review/31720 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-01-24 15:32:28 +00:00
# 2 - start of OoO MSP
self.assertIn('2\t6\t[TCP Previous segment not captured]', lines[1])
self.assertIn('[TCP segment of a reassembled PDU]', lines[1])
# H - first time that the start of the MSP is delivered
self.assertIn('3\t6\t[TCP Out-Of-Order]', lines[2])
self.assertIn('[TCP segment of a reassembled PDU]', lines[2])
tcp: Fix handling of retransmission for reassembly When reassemble_ooo is set, we can do a better job determining if a segment is retransmitted or not from the reassembler perspective, which is different than what TCP sequence analysis determines, which is retransmission from the sender's perspective. This also allows us to have a good way of dealing with retransmission but with additional data. This only works when reassembling out of order is set. Without it, we fall back to the old method of detecting retransmissions, which has a harder time with the edge cases. Fix #17406, fix #15993, fix #13388, fix #13523.
2022-08-27 19:12:34 +00:00
# H - first retransmission. Because this is before the reassembly
# completes we can add it to the reassembly
self.assertIn('4\t6\t[TCP Out-Of-Order]', lines[3])
self.assertIn('[TCP segment of a reassembled PDU]', lines[3])
tcp: fix reporting of "Reassembled in" for OoO initial segment When the initial segment is OoO, it was recognized as retransmitted. Fix this by remembering which frame actually contains the initial segment. Bug: 15420 Change-Id: If63e2ff581775ff9d396a612839f1bfab30f111f Reviewed-on: https://code.wireshark.org/review/31720 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-01-24 15:32:28 +00:00
# 1 - continue reassembly
self.assertIn('5\t6\t[TCP Out-Of-Order]', lines[4])
self.assertIn('[TCP segment of a reassembled PDU]', lines[4])
# 3 - finish reassembly
self.assertIn('6\t\tPUT /0 HTTP/1.1', lines[5])
tcp: Fix handling of retransmission for reassembly When reassemble_ooo is set, we can do a better job determining if a segment is retransmitted or not from the reassembler perspective, which is different than what TCP sequence analysis determines, which is retransmission from the sender's perspective. This also allows us to have a good way of dealing with retransmission but with additional data. This only works when reassembling out of order is set. Without it, we fall back to the old method of detecting retransmissions, which has a harder time with the edge cases. Fix #17406, fix #15993, fix #13388, fix #13523.
2022-08-27 19:12:34 +00:00
# H - second retransmission. This is after the reassembly completes
# so we do not add it to the ressembly (but throw a ReassemblyError.)
tcp: fix reporting of "Reassembled in" for OoO initial segment When the initial segment is OoO, it was recognized as retransmitted. Fix this by remembering which frame actually contains the initial segment. Bug: 15420 Change-Id: If63e2ff581775ff9d396a612839f1bfab30f111f Reviewed-on: https://code.wireshark.org/review/31720 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-01-24 15:32:28 +00:00
self.assertIn('7\t\t', lines[6])
self.assertNotIn('[TCP segment of a reassembled PDU]', lines[6])
TCP: pass data after a ZeroWindowProbe to subdissectors If the single byte within a ZeroWindowProbe triggers reassembly within a subdissector, a new MSP will be created with just a single byte. Be sure not to mark subsequent segments that contain the full segment data as retransmission as this prevents the subdissector from seeing the data. Bug: 15427 Change-Id: I36ae2622689c6606c99cdff70b6beba4b9d25ca7 Reviewed-on: https://code.wireshark.org/review/31732 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Jasper Bongertz <jasper@packet-foo.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-01-25 13:05:24 +00:00
def test_tcp_reassembly_more_data_1(self, cmd_tshark, capture_file):
'''
Tests that reassembly also works when a new packet begins at the same
sequence number as the initial segment. This models behavior with the
ZeroWindowProbe: the initial segment contains a single byte. The second
segment contains that byte, plus the remainder.
'''
proc = self.assertRun((cmd_tshark,
'-r', capture_file('retrans-tls.pcap'),
'-Ytls', '-Tfields', '-eframe.number', '-etls.record.length',))
# First pass dissection actually accepted the first frame as TLS, but
# subsequently requested reassembly.
Test: Normalize the line endings of subprocess output. On Windows, replace CRLF line endings in subprocess output with LFs. Stop doing so in individual tests.
2020-09-16 20:35:11 +00:00
self.assertEqual(proc.stdout_str, '1\t\n2\t16\n')
TCP: pass data after a ZeroWindowProbe to subdissectors If the single byte within a ZeroWindowProbe triggers reassembly within a subdissector, a new MSP will be created with just a single byte. Be sure not to mark subsequent segments that contain the full segment data as retransmission as this prevents the subdissector from seeing the data. Bug: 15427 Change-Id: I36ae2622689c6606c99cdff70b6beba4b9d25ca7 Reviewed-on: https://code.wireshark.org/review/31732 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Jasper Bongertz <jasper@packet-foo.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-01-25 13:05:24 +00:00
def test_tcp_reassembly_more_data_2(self, cmd_tshark, capture_file):
'''
Like test_tcp_reassembly_more_data_1, but checks the second pass (-2).
'''
proc = self.assertRun((cmd_tshark,
'-r', capture_file('retrans-tls.pcap'),
'-Ytls', '-Tfields', '-eframe.number', '-etls.record.length', '-2'))
Test: Normalize the line endings of subprocess output. On Windows, replace CRLF line endings in subprocess output with LFs. Stop doing so in individual tests.
2020-09-16 20:35:11 +00:00
self.assertEqual(proc.stdout_str, '2\t16\n')
TLS: Implement reassembly for Handshake messages Lack of handshake reassembly caused Certificate handshake messages to be reported as "Encrypted Handshake Messages" and broke decryption in some cases. Fix this by properly tracking handshake fragments and delay dissection until all fragments are available. Now when a fragmented Handshake message is found: * The first fragment will have "(fragmented)" appended to the record tree item as well as the "Handshake Protocol" item. * "Reassembled Handshake Message in frame: X" is added for fragments. * The last reassembled handshake message will be displayed together with a fragment list. Note: Previously, handshake records with a message length larger than the available data was assumed to be encrypted. This restriction had to be lifted, but can now cause false positives (reporting encrypted data as unencrypted handshake fragments). The provided capture is not minimal but should be comprehensive as it is generated with randomly sized TLS record and TCP segment lengths using `./tls-handshake-fragments.py hs-frag.pcap --seed=1337 --count=100` and https://git.lekensteyn.nl/peter/wireshark-notes/tree/crafted-pkt/tls-handshake-fragments.py (A copy of this script is attached to bug 3303.) Bug: 3303 Bug: 15537 Bug: 15625 Change-Id: I779925aba30548a76c20e0e37b39d01d2c88a764 Reviewed-on: https://code.wireshark.org/review/32857 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-04-15 00:30:09 +00:00
git: Add test cases Add git dissection test cases to existing testing suite for: finding git packets, finding the Git Protocol version, finding the right amount of Flush and Delimiter packets, not finding Malformed packets. Part of #17093
2021-02-12 01:05:14 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
class case_dissect_git(subprocesstest.SubprocessTestCase):
def test_git_prot(self, cmd_tshark, capture_file, features):
'''
Check for Git protocol version 2, flush and delimiter packets.
Ensure there are no malformed packets.
'''
proc = self.assertRun((cmd_tshark,
'-r', capture_file('gitOverTCP.pcap'),
'-Ygit', '-Tfields', '-egit.version', '-egit.packet_type',
'-zexpert', '-e_ws.expert',
))
# `epan/dissectors/packet-git.c` parses the Git Protocol version
# from ASCII '1' or '2' to integers 49 or 50 in grep output.
# 0x0000 are flush packets.
# 0x0001 are delimiter packets.
# Pre-existing git Malformed Packets in this pcap were addressed
# with the parsing of the delimiter packets. This test ensures
# pcap gitOverTCP's delim packets are parsed and that there are no
# malformed packets with "Expert Info/Errors" in the same pcap.
# Additional test cases for other scenarios, i.e actually malformed
# git packets, might be required.
self.assertEqual(proc.stdout_str, '50\t\t\n\t0\t\n\t\t\n\t1,0\t\n')
TLS: Implement reassembly for Handshake messages Lack of handshake reassembly caused Certificate handshake messages to be reported as "Encrypted Handshake Messages" and broke decryption in some cases. Fix this by properly tracking handshake fragments and delay dissection until all fragments are available. Now when a fragmented Handshake message is found: * The first fragment will have "(fragmented)" appended to the record tree item as well as the "Handshake Protocol" item. * "Reassembled Handshake Message in frame: X" is added for fragments. * The last reassembled handshake message will be displayed together with a fragment list. Note: Previously, handshake records with a message length larger than the available data was assumed to be encrypted. This restriction had to be lifted, but can now cause false positives (reporting encrypted data as unencrypted handshake fragments). The provided capture is not minimal but should be comprehensive as it is generated with randomly sized TLS record and TCP segment lengths using `./tls-handshake-fragments.py hs-frag.pcap --seed=1337 --count=100` and https://git.lekensteyn.nl/peter/wireshark-notes/tree/crafted-pkt/tls-handshake-fragments.py (A copy of this script is attached to bug 3303.) Bug: 3303 Bug: 15537 Bug: 15625 Change-Id: I779925aba30548a76c20e0e37b39d01d2c88a764 Reviewed-on: https://code.wireshark.org/review/32857 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-04-15 00:30:09 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
class case_dissect_tls(subprocesstest.SubprocessTestCase):
def check_tls_handshake_reassembly(self, cmd_tshark, capture_file,
extraArgs=[]):
# Include -zexpert just to be sure that no exception has occurred. It
# is not strictly necessary as the extension to be matched is the last
# one in the handshake message.
proc = self.assertRun([cmd_tshark,
'-r', capture_file('tls-fragmented-handshakes.pcap.gz'),
'-zexpert',
'-Ytls.handshake.extension.data',
'-Tfields', '-etls.handshake.extension.data'] + extraArgs)
Test: Normalize the line endings of subprocess output. On Windows, replace CRLF line endings in subprocess output with LFs. Stop doing so in individual tests.
2020-09-16 20:35:11 +00:00
output = proc.stdout_str.replace(',', '\n')
TLS: Implement reassembly for Handshake messages Lack of handshake reassembly caused Certificate handshake messages to be reported as "Encrypted Handshake Messages" and broke decryption in some cases. Fix this by properly tracking handshake fragments and delay dissection until all fragments are available. Now when a fragmented Handshake message is found: * The first fragment will have "(fragmented)" appended to the record tree item as well as the "Handshake Protocol" item. * "Reassembled Handshake Message in frame: X" is added for fragments. * The last reassembled handshake message will be displayed together with a fragment list. Note: Previously, handshake records with a message length larger than the available data was assumed to be encrypted. This restriction had to be lifted, but can now cause false positives (reporting encrypted data as unencrypted handshake fragments). The provided capture is not minimal but should be comprehensive as it is generated with randomly sized TLS record and TCP segment lengths using `./tls-handshake-fragments.py hs-frag.pcap --seed=1337 --count=100` and https://git.lekensteyn.nl/peter/wireshark-notes/tree/crafted-pkt/tls-handshake-fragments.py (A copy of this script is attached to bug 3303.) Bug: 3303 Bug: 15537 Bug: 15625 Change-Id: I779925aba30548a76c20e0e37b39d01d2c88a764 Reviewed-on: https://code.wireshark.org/review/32857 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-04-15 00:30:09 +00:00
# Expected output are lines with 0001, 0002, ..., 03e8
expected = ''.join('%04x\n' % i for i in range(1, 1001))
self.assertEqual(output, expected)
def test_tls_handshake_reassembly(self, cmd_tshark, capture_file):
'''Verify that TCP and TLS handshake reassembly works.'''
self.check_tls_handshake_reassembly(cmd_tshark, capture_file)
def test_tls_handshake_reassembly_2(self, cmd_tshark, capture_file):
'''Verify that TCP and TLS handshake reassembly works (second pass).'''
self.check_tls_handshake_reassembly(
cmd_tshark, capture_file, extraArgs=['-2'])
smb2: add support for decompression The latest iteration of Microsoft updates to SMB3 added compression to the protocol. This commit implements decompressing and dissecting compressed payloads. The compression algorithms that can be used are "Plain LZ77", "LZ77+Huffman" and "LZNT1" which you can read more about in the [MS-XCA] documentation. This set of algorithm is sometimes referred to as XPRESS. This commit reuses the existing uncompression API scheme already in place with zlib and brotli and adds 3 tvb_uncompress_*() function implemented in: * epan/tvbuff_lz77.c * epan/tvbuff_lz77huff.c * epan/tvbuff_lznt1.c A new function wmem_array_try_index() was added to the wmem_array API to make bound checked reads that fail gracefully. New tests for it have been added as well. Since both reads (tvb) and writes (wmem_array) are bound checked the risk for buffer overruns is drastically reduced. LZ77+Huffman has decoding tables and special care was taken to bound check these. Simplified versions of the implementations were succesfully tested against AFL (American Fuzzy Lop) for ~150 millions executions each. The SMB2/3 dissector was changed to deal with the new transform header for compressed packets (new protocol_id value) and READ request flags (COMPRESSED). Badly compressed or encrypted packets are now reported as such, and the decryption test suite was changed to reflect that. This commit also adds a test capture with 1 packet compressed with each algorithm as returned by Windows Server 2019, along with 3 matching tests in test/suite_dissection.py Change-Id: I2b84f56541f2f4ee7d886152794b993987dd10e7 Reviewed-on: https://code.wireshark.org/review/33855 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-07-05 14:08:18 +00:00
quic: Handle out-of-order CRYPTO frames, aka "Chaos Protection" Implement out of order buffering and desegmentation for QUIC CRYPTO frames. Particularly useful for Chrome's "Chaos Protection" that intentionally introduces them, but handles out of order CRYPTO frames in different UDP payloads as well. (Buffering packets at a higher encryption level until the out of order lower level frames have arrived is a different issue.) Adds a preference, which defaults to on since if there is out of order, it's not very useful to turn it off. Fix #17732. Fix #18215.
2022-07-21 06:16:48 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
class case_dissect_quic(subprocesstest.SubprocessTestCase):
def check_quic_tls_handshake_reassembly(self, cmd_tshark, capture_file,
extraArgs=[]):
# An assortment of QUIC carrying TLS handshakes that need to be
# reassembled, including fragmented in one packet, fragmented in
# multiple packets, fragmented in multiple out of order packets,
# retried, retried with overlap from the original packets, and retried
# with one of the original packets missing (but all data there.)
# Include -zexpert just to be sure that nothing Warn or higher occured.
# Note level expert infos may be expected with the overlaps and
# retransmissions.
proc = self.assertRun([cmd_tshark,
'-r', capture_file('quic-fragmented-handshakes.pcapng.gz'),
'-zexpert,warn',
'-Ytls.handshake.type',
'-o', 'gui.column.format:"Handshake Type","%Cus:tls.handshake.type:0:R"',
] + extraArgs)
self.assertEqual(self.countOutput('Client Hello'), 18)
self.assertEqual(self.countOutput('Server Hello'), 2)
self.assertEqual(self.countOutput('Finished'), 2)
self.assertEqual(self.countOutput('New Session Ticket,New Session Ticket'), 1)
self.assertEqual(self.countOutput('Certificate'), 2)
self.assertFalse(self.grepOutput('Warns'))
self.assertFalse(self.grepOutput('Errors'))
def test_quic_tls_handshake_reassembly(self, cmd_tshark, capture_file):
'''Verify that QUIC and TLS handshake reassembly works.'''
self.check_quic_tls_handshake_reassembly(cmd_tshark, capture_file)
def test_quic_tls_handshake_reassembly_2(self, cmd_tshark, capture_file):
'''Verify that QUIC and TLS handshake reassembly works (second pass).'''
self.check_quic_tls_handshake_reassembly(
cmd_tshark, capture_file, extraArgs=['-2'])
smb2: add support for decompression The latest iteration of Microsoft updates to SMB3 added compression to the protocol. This commit implements decompressing and dissecting compressed payloads. The compression algorithms that can be used are "Plain LZ77", "LZ77+Huffman" and "LZNT1" which you can read more about in the [MS-XCA] documentation. This set of algorithm is sometimes referred to as XPRESS. This commit reuses the existing uncompression API scheme already in place with zlib and brotli and adds 3 tvb_uncompress_*() function implemented in: * epan/tvbuff_lz77.c * epan/tvbuff_lz77huff.c * epan/tvbuff_lznt1.c A new function wmem_array_try_index() was added to the wmem_array API to make bound checked reads that fail gracefully. New tests for it have been added as well. Since both reads (tvb) and writes (wmem_array) are bound checked the risk for buffer overruns is drastically reduced. LZ77+Huffman has decoding tables and special care was taken to bound check these. Simplified versions of the implementations were succesfully tested against AFL (American Fuzzy Lop) for ~150 millions executions each. The SMB2/3 dissector was changed to deal with the new transform header for compressed packets (new protocol_id value) and READ request flags (COMPRESSED). Badly compressed or encrypted packets are now reported as such, and the decryption test suite was changed to reflect that. This commit also adds a test capture with 1 packet compressed with each algorithm as returned by Windows Server 2019, along with 3 matching tests in test/suite_dissection.py Change-Id: I2b84f56541f2f4ee7d886152794b993987dd10e7 Reviewed-on: https://code.wireshark.org/review/33855 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-07-05 14:08:18 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
class case_decompress_smb2(subprocesstest.SubprocessTestCase):
def extract_compressed_payload(self, cmd_tshark, capture_file, frame_num):
proc = self.assertRun((cmd_tshark,
'-r', capture_file('smb311-lz77-lz77huff-lznt1.pcap.gz'),
'-Tfields', '-edata.data',
'-Y', 'frame.number == %d'%frame_num,
))
self.assertEqual(b'a'*4096, bytes.fromhex(proc.stdout_str.strip()))
def test_smb311_read_lz77(self, cmd_tshark, capture_file):
self.extract_compressed_payload(cmd_tshark, capture_file, 1)
def test_smb311_read_lz77huff(self, cmd_tshark, capture_file):
self.extract_compressed_payload(cmd_tshark, capture_file, 2)
def test_smb311_read_lznt1(self, cmd_tshark, capture_file):
test: skip some tests on big endian machines. Dumpcap doesn't support fifos with streams created on a machine with different endianess. Until dumpcap will support that, we need to skip some tests so the whole test suite can pass. Ping-Bug: 15754 Change-Id: Ia7fdf833715bf975fcee76968a7c1d75d084bd6f Reviewed-on: https://code.wireshark.org/review/34173 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Dario Lombardo <lomato@gmail.com>
2019-08-03 20:07:55 +00:00
if sys.byteorder == 'big':
fixtures.skip('this test is supported on little endian only')
smb2: add support for decompression The latest iteration of Microsoft updates to SMB3 added compression to the protocol. This commit implements decompressing and dissecting compressed payloads. The compression algorithms that can be used are "Plain LZ77", "LZ77+Huffman" and "LZNT1" which you can read more about in the [MS-XCA] documentation. This set of algorithm is sometimes referred to as XPRESS. This commit reuses the existing uncompression API scheme already in place with zlib and brotli and adds 3 tvb_uncompress_*() function implemented in: * epan/tvbuff_lz77.c * epan/tvbuff_lz77huff.c * epan/tvbuff_lznt1.c A new function wmem_array_try_index() was added to the wmem_array API to make bound checked reads that fail gracefully. New tests for it have been added as well. Since both reads (tvb) and writes (wmem_array) are bound checked the risk for buffer overruns is drastically reduced. LZ77+Huffman has decoding tables and special care was taken to bound check these. Simplified versions of the implementations were succesfully tested against AFL (American Fuzzy Lop) for ~150 millions executions each. The SMB2/3 dissector was changed to deal with the new transform header for compressed packets (new protocol_id value) and READ request flags (COMPRESSED). Badly compressed or encrypted packets are now reported as such, and the decryption test suite was changed to reflect that. This commit also adds a test capture with 1 packet compressed with each algorithm as returned by Windows Server 2019, along with 3 matching tests in test/suite_dissection.py Change-Id: I2b84f56541f2f4ee7d886152794b993987dd10e7 Reviewed-on: https://code.wireshark.org/review/33855 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2019-07-05 14:08:18 +00:00
self.extract_compressed_payload(cmd_tshark, capture_file, 3)
A Community ID implementation for Wireshark. This adds a protocol post-dissector for Community ID support to Wireshark/tshark: https://github.com/corelight/community-id-spec The protocol is disabled by default. It establishes one new filter value, "communityid". Includes test cases and baselines to verify correct Community ID strings based on similar testsuites in the existing Zeek and Python implementations.
2020-09-03 23:50:32 +00:00
SMB2: add tests for chained compression and pattern_v1
2020-09-22 23:05:39 +00:00
def extract_chained_compressed_payload(self, cmd_tshark, capture_file, frame_num):
proc = self.assertRun((cmd_tshark,
'-r', capture_file('smb311-chained-patternv1-lznt1.pcapng.gz'),
'-Tfields', '-edata.data',
'-Y', 'frame.number == %d'%frame_num,
))
self.assertEqual(b'\xaa'*256, bytes.fromhex(proc.stdout_str.strip()))
def test_smb311_chained_lznt1_patternv1(self, cmd_tshark, capture_file):
if sys.byteorder == 'big':
fixtures.skip('this test is supported on little endian only')
self.extract_chained_compressed_payload(cmd_tshark, capture_file, 1)
def test_smb311_chained_none_patternv1(self, cmd_tshark, capture_file):
self.extract_chained_compressed_payload(cmd_tshark, capture_file, 2)
A Community ID implementation for Wireshark. This adds a protocol post-dissector for Community ID support to Wireshark/tshark: https://github.com/corelight/community-id-spec The protocol is disabled by default. It establishes one new filter value, "communityid". Includes test cases and baselines to verify correct Community ID strings based on similar testsuites in the existing Zeek and Python implementations.
2020-09-03 23:50:32 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
class case_communityid(subprocesstest.SubprocessTestCase):
# Show full diffs in case of divergence
maxDiff = None
def assertBaseline(self, dirs, output, baseline):
baseline_file = os.path.join(dirs.baseline_dir, baseline)
with open(baseline_file) as f:
baseline_data = f.read()
self.assertEqual(output, baseline_data)
def test_communityid(self, cmd_tshark, features, dirs, capture_file):
# Run tshark on our Community ID test pcap, enabling the
# postdissector (it is disabled by default), and asking for
# the Community ID value as field output. Verify that this
# exits successfully:
proc = self.assertRun(
(cmd_tshark,
'--enable-protocol', 'communityid',
'-r', capture_file('communityid.pcap.gz'),
'-Tfields', '-ecommunityid',
))
self.assertBaseline(dirs, proc.stdout_str, 'communityid.txt')
def test_communityid_filter(self, cmd_tshark, features, dirs, capture_file):
# Run tshark on our Community ID test pcap, enabling the
# postdissector and filtering the result.
proc = self.assertRun(
(cmd_tshark,
'--enable-protocol', 'communityid',
'-r', capture_file('communityid.pcap.gz'),
'-Tfields', '-ecommunityid',
'communityid=="1:d/FP5EW3wiY1vCndhwleRRKHowQ="'
))
self.assertBaseline(dirs, proc.stdout_str, 'communityid-filtered.txt')
add mongo zstd test to suite_dissection.py
2022-12-24 01:50:03 +00:00
@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
class case_decompress_mongo(subprocesstest.SubprocessTestCase):
def test_decompress_zstd(self, cmd_tshark, capture_file):
proc = self.assertRun((cmd_tshark,
'-d', 'tcp.port==27017,mongo',
'-r', capture_file('mongo-zstd.pcapng'),
'-Tfields', '-emongo.element.name'
))
# Check the element names of the decompressed body.
self.assertEqual('drop,lsid,id,$db', proc.stdout_str.strip())