1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
|
# Copyright (c) 2013 by Gilbert Ramirez <gram@alumni.rice.edu>
#
# SPDX-License-Identifier: GPL-2.0-or-later
import unittest
import fixtures
from suite_dfilter.dfiltertest import *
@fixtures.uses_fixtures
class case_syntax(unittest.TestCase):
trace_file = "http.pcap"
def test_exists_1(self, checkDFilterCount):
dfilter = "frame"
checkDFilterCount(dfilter, 1)
def test_exists_2(self, checkDFilterCount):
# Identifier using minus
dfilter = "mac-lte"
checkDFilterCount(dfilter, 0)
def test_commute_1(self, checkDFilterCount):
dfilter = "ip.proto == 6"
checkDFilterCount(dfilter, 1)
def test_commute_2(self, checkDFilterFail):
dfilter = "6 == ip.proto"
error = "Left side of \"==\" expression must be a field or function"
checkDFilterFail(dfilter, error)
def test_func_1(self, checkDFilterCount):
dfilter = "len(frame) == 207"
checkDFilterCount(dfilter, 1)
def test_value_string_1(self, checkDFilterSucceed):
dfilter = 'eth.fcs.status=="Bad"'
checkDFilterSucceed(dfilter)
def test_matches_1(self, checkDFilterSucceed):
dfilter = 'http.request.method matches "^HEAD"'
checkDFilterSucceed(dfilter)
def test_matches_2(self, checkDFilterFail):
dfilter = 'http.request.method matches HEAD'
checkDFilterFail(dfilter, 'requires a double quoted string')
def test_matches_3(self, checkDFilterFail):
dfilter = 'http.request.method matches "^HEAD" matches "^POST"'
checkDFilterFail(dfilter, '"matches" was unexpected in this context.')
def test_matches_4(self, checkDFilterCount):
dfilter = r'http.host matches r"update\.microsoft\.c.."'
checkDFilterCount(dfilter, 1)
def test_matches_5(self, checkDFilterSucceed):
# case insensitive
dfilter = 'http.request.method matches "^head"'
checkDFilterSucceed(dfilter)
def test_equal_1(self, checkDFilterCount):
dfilter = 'ip.addr == 10.0.0.5'
checkDFilterCount(dfilter, 1)
def test_equal_2(self, checkDFilterCount):
dfilter = 'ip.addr == 207.46.134.94'
checkDFilterCount(dfilter, 1)
def test_equal_3(self, checkDFilterCount):
dfilter = 'ip.addr == 10.0.0.5 or ip.addr == 207.46.134.94'
checkDFilterCount(dfilter, 1)
def test_equal_4(self, checkDFilterCount):
dfilter = 'ip.addr == 10.0.0.5 and ip.addr == 207.46.134.94'
checkDFilterCount(dfilter, 1)
def test_not_equal_1(self, checkDFilterCount):
dfilter = 'ip.addr != 10.0.0.5'
checkDFilterCount(dfilter, 0)
def test_not_equal_2(self, checkDFilterCount):
dfilter = 'ip.addr != 207.46.134.94'
checkDFilterCount(dfilter, 0)
def test_not_equal_3(self, checkDFilterCount):
dfilter = 'ip.addr != 10.0.0.5 and ip.addr != 207.46.134.94'
checkDFilterCount(dfilter, 0)
def test_not_equal_4(self, checkDFilterCount):
dfilter = 'ip.addr != 10.0.0.5 or ip.addr != 207.46.134.94'
checkDFilterCount(dfilter, 0)
def test_deprecated_1(self, checkDFilterSucceed):
dfilter = "bootp"
checkDFilterSucceed(dfilter, "Deprecated tokens: \"bootp\"")
def test_charconst_bytes_1(self, checkDFilterCount):
# Bytes as a character constant.
dfilter = "frame contains 'H'"
checkDFilterCount(dfilter, 1)
def test_charconst_bytes_2(self, checkDFilterCount):
dfilter = "frame[54] == 'H'"
checkDFilterCount(dfilter, 1)
def test_charconst_invalid(self, checkDFilterFail):
dfilter = r"ip.proto == '\Z'"
checkDFilterFail(dfilter, "isn't a valid character constant")
def test_bool_1(self, checkDFilterCount):
dfilter = "tcp.flags.push == 1"
checkDFilterCount(dfilter, 1)
def test_bool_2(self, checkDFilterCount):
dfilter = "tcp.flags.push == True"
checkDFilterCount(dfilter, 1)
def test_bool_2(self, checkDFilterCount):
dfilter = "tcp.flags.push == FALSE"
checkDFilterCount(dfilter, 0)
def test_misc_1(self, checkDFilterSucceed):
# Issue #18418
dfilter = "icmp and ((icmp.type > 0 and icmp.type < 8) or icmp.type > 8)"
checkDFilterSucceed(dfilter)
def test_whitespace(self, checkDFilterSucceed):
dfilter = '\ttcp.stream \r\n== 1'
checkDFilterSucceed(dfilter)
@fixtures.uses_fixtures
class case_equality(unittest.TestCase):
trace_file = "sip.pcapng"
def test_all_eq_1(self, checkDFilterCount):
dfilter = "udp.port === 5060"
checkDFilterCount(dfilter, 2)
def test_any_ne_1(self, checkDFilterCount):
dfilter = "udp.port !== 5060"
checkDFilterCount(dfilter, 4)
def test_any_eq_1(self, checkDFilterCount):
dfilter = "udp.port == 5060"
checkDFilterCount(dfilter, 5)
def test_all_ne_1(self, checkDFilterCount):
dfilter = "udp.port != 5060"
checkDFilterCount(dfilter, 1)
def test_root_1(self, checkDFilterCount):
dfilter = "udp.srcport == .udp.dstport"
checkDFilterCount(dfilter, 2)
def test_literal_3(self, checkDFilterCount):
dfilter = "frame[0:10] contains :00:01:6c"
checkDFilterCount(dfilter, 1)
def test_literal_4(self, checkDFilterCount):
dfilter = "frame[0:10] contains :00016c"
checkDFilterCount(dfilter, 1)
def test_literal_5(self, checkDFilterCount):
dfilter = "frame[0:10] contains :00.01.6c"
checkDFilterCount(dfilter, 1)
def test_literal_6(self, checkDFilterCount):
dfilter = "frame[0:10] contains :00-01-6c"
checkDFilterCount(dfilter, 1)
def test_rhs_bias_1(self, checkDFilterCount):
# Protocol "Fibre Channel" on the RHS
dfilter = 'frame[37] == fc'
checkDFilterCount(dfilter, 0)
def test_rhs_bias_2(self, checkDFilterCount):
# Byte 0xFC on the RHS
dfilter = 'frame[37] == :fc'
checkDFilterCount(dfilter, 1)
def test_rhs_literal_bias_4(self, checkDFilterCount):
# Protocol "Fibre Channel" on the RHS
dfilter = 'frame[37] == .fc'
checkDFilterCount(dfilter, 0)
@fixtures.uses_fixtures
class case_bitwise(unittest.TestCase):
trace_file = "http.pcap"
def test_exists_1(self, checkDFilterCount):
dfilter = "tcp.flags & 0x8"
checkDFilterCount(dfilter, 1)
def test_exists_2(self, checkDFilterCount):
dfilter = "eth[0] & 1"
checkDFilterCount(dfilter, 0)
def test_equal_1(self, checkDFilterCount):
dfilter = "tcp.flags & 0x0F == 8"
checkDFilterCount(dfilter, 1)
def test_equal_2(self, checkDFilterCount):
dfilter = "tcp.srcport != tcp.dstport & 0x0F"
checkDFilterCount(dfilter, 1)
@fixtures.uses_fixtures
class case_unary_minus(unittest.TestCase):
trace_file = "http.pcap"
def test_minus_const_1(self, checkDFilterCount):
dfilter = "tcp.window_size_scalefactor == -1"
checkDFilterCount(dfilter, 1)
def test_minus_const_2(self, checkDFilterCount):
dfilter = "tcp.window_size_scalefactor == -2"
checkDFilterCount(dfilter, 0)
def test_plus_const_1(self, checkDFilterCount):
dfilter = "tcp.window_size_scalefactor == +1"
checkDFilterCount(dfilter, 0)
def test_unary_1(self, checkDFilterCount):
dfilter = "tcp.window_size_scalefactor == -tcp.dstport"
checkDFilterCount(dfilter, 0)
def test_unary_2(self, checkDFilterCount):
dfilter = "tcp.window_size_scalefactor == +tcp.dstport"
checkDFilterCount(dfilter, 0)
def test_unary_3(self, checkDFilterFail):
error = 'Constant arithmetic expression on the LHS is invalid'
dfilter = "-2 == tcp.dstport"
checkDFilterFail(dfilter, error)
def test_unary_4(self, checkDFilterCount):
dfilter = "tcp.window_size_scalefactor == -{tcp.dstport * 20}"
checkDFilterCount(dfilter, 0)
@fixtures.uses_fixtures
class case_arithmetic(unittest.TestCase):
trace_file = "dhcp.pcap"
def test_add_1(self, checkDFilterCount):
dfilter = "udp.dstport == udp.srcport + 1"
checkDFilterCount(dfilter, 2)
def test_add_2(self, checkDFilterCount):
dfilter = "udp.dstport == 66 + 1"
checkDFilterCount(dfilter, 2)
def test_add_3(self, checkDFilterCount):
dfilter = "udp.dstport == 66+1"
checkDFilterCount(dfilter, 2)
def test_add_3(self, checkDFilterFail):
error = 'Constant arithmetic expression on the LHS is invalid'
dfilter = "2 + 3 == frame.number"
checkDFilterFail(dfilter, error)
def test_sub_1(self, checkDFilterCount):
dfilter = "udp.srcport == udp.dstport - 1"
checkDFilterCount(dfilter, 2)
def test_sub_2(self, checkDFilterCount):
dfilter = "udp.dstport == 68 - 1"
checkDFilterCount(dfilter, 2)
def test_sub_3(self, checkDFilterFail):
# Minus operator requires spaces around it.
error = '"68-1" is not a valid number.'
dfilter = "udp.dstport == 68-1"
checkDFilterFail(dfilter, error)
def test_sub_4(self, checkDFilterCount):
dfilter = "udp.length == ip.len - 20"
checkDFilterCount(dfilter, 4)
def test_expr_1(self, checkDFilterCount):
dfilter = 'udp.port * { 10 / {5 - 4} } == udp.port * { {50 + 50} / 2 - 40 }'
checkDFilterCount(dfilter, 4)
def test_expr_2(self, checkDFilterCount):
dfilter = 'udp.dstport * { udp.srcport / {5 - 4} } == udp.srcport * { 2 * udp.dstport - 68 }'
checkDFilterCount(dfilter, 2)
@fixtures.uses_fixtures
class case_field_reference(unittest.TestCase):
trace_file = "ipoipoip.pcap"
def test_ref_1(self, checkDFilterCountWithSelectedFrame):
dfilter = 'frame.number < ${frame.number}'
# select frame 2, expect 1 frames out of 2.
checkDFilterCountWithSelectedFrame(dfilter, 1, 2)
def test_ref_2(self, checkDFilterCountWithSelectedFrame):
dfilter = 'ip.src#3 == ${ip.src#4}'
# select frame 1, expect 1 frames out of 2.
checkDFilterCountWithSelectedFrame(dfilter, 1, 1)
@fixtures.uses_fixtures
class case_field_reference(unittest.TestCase):
trace_file = "ipoipoip.pcap"
def test_layer_1(self, checkDFilterCount):
dfilter = 'ip.addr#2 == 4.4.4.4'
checkDFilterCount(dfilter, 1)
def test_layer_2(self, checkDFilterCount):
dfilter = 'ip.addr#5'
checkDFilterCount(dfilter, 1)
def test_layer_3(self, checkDFilterCount):
dfilter = 'ip.addr#6'
checkDFilterCount(dfilter, 0)
def test_layer_4(self, checkDFilterCount):
dfilter = 'ip.dst#[2-4] == 8.8.8.8'
checkDFilterCount(dfilter, 1)
def test_layer_5(self, checkDFilterCount):
dfilter = 'ip.dst#[-1] == 8.8.8.8'
checkDFilterCount(dfilter, 0)
def test_layer_6(self, checkDFilterCount):
dfilter = 'ip.dst#[-1] == 9.9.9.9'
checkDFilterCount(dfilter, 1)
def test_layer_7(self, checkDFilterCount):
dfilter = 'ip.dst#[-5] == 2.2.2.2'
checkDFilterCount(dfilter, 1)
@fixtures.uses_fixtures
class case_quantifiers(unittest.TestCase):
trace_file = "ipoipoip.pcap"
def test_any_1(self, checkDFilterCount):
dfilter = 'any ip.addr > 1.1.1.1'
checkDFilterCount(dfilter, 2)
def test_all_1(self, checkDFilterCount):
dfilter = 'all ip.addr > 1.1.1.1'
checkDFilterCount(dfilter, 1)
@fixtures.uses_fixtures
class case_raw_modifier(unittest.TestCase):
trace_file = "s7comm-fuzz.pcapng.gz"
def test_regular(self, checkDFilterCount):
dfilter = 's7comm.blockinfo.blocktype == "0\uFFFD"'
checkDFilterCount(dfilter, 3)
def test_raw1(self, checkDFilterCount):
dfilter = '@s7comm.blockinfo.blocktype == 30:aa'
checkDFilterCount(dfilter, 2)
def test_raw2(self, checkDFilterCount):
dfilter = '@s7comm.blockinfo.blocktype == 30:fe'
checkDFilterCount(dfilter, 1)
def test_raw_ref(self, checkDFilterCountWithSelectedFrame):
dfilter = '@s7comm.blockinfo.blocktype == ${@s7comm.blockinfo.blocktype}'
# select frame 3, expect 2 frames out of 3.
checkDFilterCountWithSelectedFrame(dfilter, 2, 3)
|
