2021-10-01 16:44:23 +00:00
|
|
|
# Copyright (c) 2013 by Gilbert Ramirez <gram@alumni.rice.edu>
|
|
|
|
#
|
|
|
|
# SPDX-License-Identifier: GPL-2.0-or-later
|
|
|
|
|
|
|
|
import unittest
|
|
|
|
import fixtures
|
|
|
|
from suite_dfilter.dfiltertest import *
|
|
|
|
|
|
|
|
|
|
|
|
@fixtures.uses_fixtures
|
|
|
|
class case_syntax(unittest.TestCase):
|
|
|
|
trace_file = "http.pcap"
|
|
|
|
|
|
|
|
def test_exists_1(self, checkDFilterCount):
|
|
|
|
dfilter = "frame"
|
|
|
|
checkDFilterCount(dfilter, 1)
|
|
|
|
|
|
|
|
def test_commute_1(self, checkDFilterCount):
|
|
|
|
dfilter = "ip.proto == 6"
|
|
|
|
checkDFilterCount(dfilter, 1)
|
|
|
|
|
|
|
|
def test_commute_2(self, checkDFilterCount):
|
|
|
|
dfilter = "6 == ip.proto"
|
|
|
|
checkDFilterCount(dfilter, 1)
|
|
|
|
|
|
|
|
def test_func_1(self, checkDFilterCount):
|
|
|
|
dfilter = "len(frame) == 207"
|
|
|
|
checkDFilterCount(dfilter, 1)
|
2021-10-08 16:33:36 +00:00
|
|
|
|
|
|
|
def test_value_string_1(self, checkDFilterSucceed):
|
|
|
|
dfilter = 'eth.fcs.status=="Bad"'
|
|
|
|
checkDFilterSucceed(dfilter)
|
2021-10-09 15:40:08 +00:00
|
|
|
|
|
|
|
def test_matches_1(self, checkDFilterSucceed):
|
|
|
|
dfilter = 'http.request.method matches "^HEAD"'
|
|
|
|
checkDFilterSucceed(dfilter)
|
|
|
|
|
|
|
|
def test_matches_2(self, checkDFilterFail):
|
|
|
|
dfilter = 'http.request.method matches HEAD'
|
2021-10-17 16:09:05 +00:00
|
|
|
checkDFilterFail(dfilter, 'Expected a string')
|
2021-10-09 15:40:08 +00:00
|
|
|
|
|
|
|
def test_matches_3(self, checkDFilterFail):
|
|
|
|
dfilter = 'http.request.method matches "^HEAD" matches "^POST"'
|
|
|
|
checkDFilterFail(dfilter, '"matches" was unexpected in this context.')
|
2021-10-15 22:47:28 +00:00
|
|
|
|
|
|
|
def test_matches_4(self, checkDFilterCount):
|
|
|
|
dfilter = r'http.host matches r"update\.microsoft\.c.."'
|
|
|
|
checkDFilterCount(dfilter, 1)
|
dfilter: Fix "!=" relation to be free of contradictions
Wireshark defines the relation of equality A == B as
A any_eq B <=> An == Bn for at least one An, Bn.
More accurately I think this is (formally) an equivalence
relation, not true equality.
Whichever definition for "==" we choose we must keep the
definition of "!=" as !(A == B), otherwise it will
lead to logical contradictions like (A == B) AND (A != B)
being true.
Fix the '!=' relation to match the definition of equality:
A != B <=> !(A == B) <=> A all_ne B <=> An != Bn, for
every n.
This has been the recomended way to write "not equal" for a
long time in the documentation, even to the point where != was
deprecated, but it just wasn't implemented consistently in the
language, which has understandably been a persistent source
of confusion. Even a field that is normally well-behaved
with "!=" like "ip.src" or "ip.dst" will produce unexpected
results with encapsulations like IP-over-IP.
The opcode ALL_NE could have been implemented in the compiler
instead using NOT and ANY_EQ but I chose to implement it in
bytecode. It just seemed more elegant and efficient
but the difference was not very significant.
Keep around "~=" for any_ne relation, in case someone depends
on that, and because we don't have an operator for true equality:
A strict_equal B <=> A all_eq B <=> !(A any_ne B).
If there is only one value then any_ne and all_ne are the same
comparison operation.
Implementing this change did not require fixing any tests so it
is unlikely the relation "~=" (any_ne) will be very useful.
Note that the behaviour of the '<' (less than) comparison relation
is a separate, more subtle issue. In the general case the definition
of '<' that is used is only a partial order.
2021-10-18 20:07:06 +00:00
|
|
|
|
2021-10-27 23:38:38 +00:00
|
|
|
def test_matches_5(self, checkDFilterFail):
|
|
|
|
dfilter = '"a" matches "b"'
|
|
|
|
checkDFilterFail(dfilter, "not a valid operand for matches")
|
|
|
|
|
dfilter: Fix "!=" relation to be free of contradictions
Wireshark defines the relation of equality A == B as
A any_eq B <=> An == Bn for at least one An, Bn.
More accurately I think this is (formally) an equivalence
relation, not true equality.
Whichever definition for "==" we choose we must keep the
definition of "!=" as !(A == B), otherwise it will
lead to logical contradictions like (A == B) AND (A != B)
being true.
Fix the '!=' relation to match the definition of equality:
A != B <=> !(A == B) <=> A all_ne B <=> An != Bn, for
every n.
This has been the recomended way to write "not equal" for a
long time in the documentation, even to the point where != was
deprecated, but it just wasn't implemented consistently in the
language, which has understandably been a persistent source
of confusion. Even a field that is normally well-behaved
with "!=" like "ip.src" or "ip.dst" will produce unexpected
results with encapsulations like IP-over-IP.
The opcode ALL_NE could have been implemented in the compiler
instead using NOT and ANY_EQ but I chose to implement it in
bytecode. It just seemed more elegant and efficient
but the difference was not very significant.
Keep around "~=" for any_ne relation, in case someone depends
on that, and because we don't have an operator for true equality:
A strict_equal B <=> A all_eq B <=> !(A any_ne B).
If there is only one value then any_ne and all_ne are the same
comparison operation.
Implementing this change did not require fixing any tests so it
is unlikely the relation "~=" (any_ne) will be very useful.
Note that the behaviour of the '<' (less than) comparison relation
is a separate, more subtle issue. In the general case the definition
of '<' that is used is only a partial order.
2021-10-18 20:07:06 +00:00
|
|
|
def test_equal_1(self, checkDFilterCount):
|
|
|
|
dfilter = 'ip.addr == 10.0.0.5'
|
|
|
|
checkDFilterCount(dfilter, 1)
|
|
|
|
|
|
|
|
def test_equal_2(self, checkDFilterCount):
|
|
|
|
dfilter = 'ip.addr == 207.46.134.94'
|
|
|
|
checkDFilterCount(dfilter, 1)
|
|
|
|
|
|
|
|
def test_equal_3(self, checkDFilterCount):
|
|
|
|
dfilter = 'ip.addr == 10.0.0.5 or ip.addr == 207.46.134.94'
|
|
|
|
checkDFilterCount(dfilter, 1)
|
|
|
|
|
|
|
|
def test_equal_4(self, checkDFilterCount):
|
|
|
|
dfilter = 'ip.addr == 10.0.0.5 and ip.addr == 207.46.134.94'
|
|
|
|
checkDFilterCount(dfilter, 1)
|
|
|
|
|
|
|
|
def test_not_equal_1(self, checkDFilterCount):
|
|
|
|
dfilter = 'ip.addr != 10.0.0.5'
|
|
|
|
checkDFilterCount(dfilter, 0)
|
|
|
|
|
|
|
|
def test_not_equal_2(self, checkDFilterCount):
|
|
|
|
dfilter = 'ip.addr != 207.46.134.94'
|
|
|
|
checkDFilterCount(dfilter, 0)
|
|
|
|
|
|
|
|
def test_not_equal_3(self, checkDFilterCount):
|
|
|
|
dfilter = 'ip.addr != 10.0.0.5 and ip.addr != 207.46.134.94'
|
|
|
|
checkDFilterCount(dfilter, 0)
|
|
|
|
|
|
|
|
def test_not_equal_4(self, checkDFilterCount):
|
|
|
|
dfilter = 'ip.addr != 10.0.0.5 or ip.addr != 207.46.134.94'
|
|
|
|
checkDFilterCount(dfilter, 0)
|
2021-10-25 09:50:36 +00:00
|
|
|
|
|
|
|
def test_deprecated_1(self, checkDFilterSucceed):
|
|
|
|
dfilter = "http && udp || tcp"
|
|
|
|
checkDFilterSucceed(dfilter, "suggest parentheses around")
|
|
|
|
|
|
|
|
def test_deprecated_2(self, checkDFilterSucceed):
|
|
|
|
dfilter = "bootp"
|
|
|
|
checkDFilterSucceed(dfilter, "Deprecated tokens: \"bootp\"")
|