2018-04-02 17:12:23 -07:00
|
|
|
#
|
|
|
|
|
# Wireshark tests
|
|
|
|
|
# By Gerald Combs <gerald@wireshark.org>
|
|
|
|
|
#
|
|
|
|
|
# Ported from a set of Bash scripts which were copyright 2005 Ulf Lamping
|
|
|
|
|
#
|
|
|
|
|
# SPDX-License-Identifier: GPL-2.0-or-later
|
|
|
|
|
#
|
|
|
|
|
'''Command line option tests'''
|
|
|
|
|
|
2018-11-20 02:47:36 +01:00
|
|
|
import json
|
2019-04-06 00:29:51 +02:00
|
|
|
import sys
|
2018-11-20 02:47:36 +01:00
|
|
|
import os.path
|
2018-04-02 17:12:23 -07:00
|
|
|
import subprocess
|
2023-06-06 19:40:24 +01:00
|
|
|
import subprocesstest
|
2023-06-03 23:33:04 +01:00
|
|
|
from subprocesstest import ExitCodes, grep_output, count_output
|
2019-04-06 00:29:51 +02:00
|
|
|
import shutil
|
2023-06-03 23:33:04 +01:00
|
|
|
import pytest
|
2018-04-02 17:12:23 -07:00
|
|
|
|
|
|
|
|
#glossaries = ('fields', 'protocols', 'values', 'decodes', 'defaultprefs', 'currentprefs')
|
|
|
|
|
|
|
|
|
|
glossaries = ('decodes', 'values')
|
2018-04-27 10:35:17 -07:00
|
|
|
testout_pcap = 'testout.pcap'
|
2018-04-02 17:12:23 -07:00
|
|
|
|
2018-11-13 02:17:33 +01:00
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
class TestDumpcapOptions:
|
2018-04-02 17:12:23 -07:00
|
|
|
# XXX Should we generate individual test functions instead of looping?
|
2018-11-13 02:17:33 +01:00
|
|
|
def test_dumpcap_invalid_chars(self, cmd_dumpcap, base_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
'''Invalid dumpcap parameters'''
|
2024-06-07 20:56:42 -04:00
|
|
|
for char_arg in 'CEFGHJKNORTUVWXYejloxz':
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_dumpcap, '-' + char_arg), env=base_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert process.returncode == ExitCodes.COMMAND_LINE
|
2018-04-02 17:12:23 -07:00
|
|
|
|
|
|
|
|
# XXX Should we generate individual test functions instead of looping?
|
2018-11-13 02:17:33 +01:00
|
|
|
def test_dumpcap_valid_chars(self, cmd_dumpcap, base_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
for char_arg in 'hv':
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_dumpcap, '-' + char_arg), env=base_env)
|
|
|
|
|
assert process.returncode == ExitCodes.OK
|
2018-04-02 17:12:23 -07:00
|
|
|
|
|
|
|
|
# XXX Should we generate individual test functions instead of looping?
|
2018-11-13 02:17:33 +01:00
|
|
|
def test_dumpcap_interface_chars(self, cmd_dumpcap, base_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
'''Valid dumpcap parameters requiring capture permissions'''
|
2023-06-03 23:33:04 +01:00
|
|
|
valid_returns = [ExitCodes.OK, ExitCodes.INVALID_INTERFACE]
|
2018-04-02 17:12:23 -07:00
|
|
|
for char_arg in 'DL':
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_dumpcap, '-' + char_arg), env=base_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert process.returncode in valid_returns
|
2018-04-02 17:12:23 -07:00
|
|
|
|
|
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
class TestDumpcapClopts:
|
|
|
|
|
def test_dumpcap_invalid_capfilter(self, cmd_dumpcap, capture_interface, result_file, base_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
'''Invalid capture filter'''
|
|
|
|
|
invalid_filter = '__invalid_protocol'
|
|
|
|
|
# $DUMPCAP -f 'jkghg' -w './testout.pcap' > ./testout.txt 2>&1
|
2023-05-08 07:32:58 +01:00
|
|
|
testout_file = result_file(testout_pcap)
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_dumpcap, '-f', invalid_filter, '-w', testout_file), capture_output=True, env=base_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(process.stderr, 'Invalid capture filter "' + invalid_filter + '" for interface')
|
2018-04-02 17:12:23 -07:00
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
def test_dumpcap_invalid_interface_name(self, cmd_dumpcap, capture_interface, result_file, base_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
'''Invalid capture interface name'''
|
|
|
|
|
invalid_interface = '__invalid_interface'
|
|
|
|
|
# $DUMPCAP -i invalid_interface -w './testout.pcap' > ./testout.txt 2>&1
|
2023-05-08 07:32:58 +01:00
|
|
|
testout_file = result_file(testout_pcap)
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_dumpcap, '-i', invalid_interface, '-w', testout_file), capture_output=True, env=base_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(process.stderr, 'There is no device named "__invalid_interface"') or \
|
|
|
|
|
grep_output(process.stderr, 'The capture session could not be initiated on capture device "__invalid_interface"')
|
2018-04-02 17:12:23 -07:00
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
def test_dumpcap_invalid_interface_index(self, cmd_dumpcap, capture_interface, result_file, base_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
'''Invalid capture interface index'''
|
|
|
|
|
invalid_index = '0'
|
|
|
|
|
# $DUMPCAP -i 0 -w './testout.pcap' > ./testout.txt 2>&1
|
2023-05-08 07:32:58 +01:00
|
|
|
testout_file = result_file(testout_pcap)
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_dumpcap, '-i', invalid_index, '-w', testout_file), capture_output=True, env=base_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(process.stderr, 'There is no interface with that adapter index')
|
2018-04-02 17:12:23 -07:00
|
|
|
|
|
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
class TestBasicClopts:
|
|
|
|
|
def test_existing_file(self, cmd_tshark, capture_file, test_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
# $TSHARK -r "${CAPTURE_DIR}dhcp.pcap" > ./testout.txt 2>&1
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_tshark, '-r', capture_file('dhcp.pcap')), env=test_env)
|
|
|
|
|
assert process.returncode == ExitCodes.OK
|
2018-04-02 17:12:23 -07:00
|
|
|
|
2023-10-12 09:23:53 -04:00
|
|
|
def test_existing_file_longopt(self, cmd_tshark, capture_file, test_env):
|
|
|
|
|
# $TSHARK -r "${CAPTURE_DIR}dhcp.pcap" > ./testout.txt 2>&1
|
|
|
|
|
process = subprocesstest.run((cmd_tshark, '--read-file', capture_file('dhcp.pcap'),
|
|
|
|
|
'--display-filter', 'dhcp'), env=test_env)
|
|
|
|
|
assert process.returncode == ExitCodes.OK
|
|
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
def test_nonexistent_file(self, cmd_tshark, capture_file, test_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
# $TSHARK - r ThisFileDontExist.pcap > ./testout.txt 2 > &1
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_tshark, '-r', capture_file('__ceci_nest_pas_une.pcap')), env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert process.returncode == ExitCodes.INVALID_FILE_ERROR
|
2018-04-02 17:12:23 -07:00
|
|
|
|
|
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
class TestTsharkOptions:
|
2018-04-02 17:12:23 -07:00
|
|
|
# XXX Should we generate individual test functions instead of looping?
|
2023-06-03 23:33:04 +01:00
|
|
|
def test_tshark_invalid_chars(self, cmd_tshark, test_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
'''Invalid tshark parameters'''
|
tshark: Do not require -G to be the first option
Do not require -G to be the first option.
Have the glossary reports (other then the "defaultprefs" report)
reflect the current configuration state. That means dumping the
reports after other relevant options are applied, for example the
-o, -d, and --[disable|enable]-[protocol|heuristic] options.
For the new modified version of the "fields" report that filters on
certain prefixes, change the syntax to "-G fields,<prefix>", similar
to the "-z" options. Add a similar option for the "elastic-mapping"
report as an alternative to the separate --elastic-mapping-filter
long option. E.g.,
tshark -G elastic-mapping,ip,udp,dns
tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
are both acceptable. (Perhaps the latter should be deprecated?)
Fix #17924
2024-09-15 00:27:26 -04:00
|
|
|
# Most of these are valid but require a mandatory parameter
|
|
|
|
|
for char_arg in 'ABCEFGHJKMNORTUWXYZabcdefijkmorstuwyz':
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_tshark, '-' + char_arg), env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert process.returncode == ExitCodes.COMMAND_LINE
|
2018-04-02 17:12:23 -07:00
|
|
|
|
|
|
|
|
# XXX Should we generate individual test functions instead of looping?
|
2023-06-03 23:33:04 +01:00
|
|
|
def test_tshark_valid_chars(self, cmd_tshark, test_env):
|
tshark: Do not require -G to be the first option
Do not require -G to be the first option.
Have the glossary reports (other then the "defaultprefs" report)
reflect the current configuration state. That means dumping the
reports after other relevant options are applied, for example the
-o, -d, and --[disable|enable]-[protocol|heuristic] options.
For the new modified version of the "fields" report that filters on
certain prefixes, change the syntax to "-G fields,<prefix>", similar
to the "-z" options. Add a similar option for the "elastic-mapping"
report as an alternative to the separate --elastic-mapping-filter
long option. E.g.,
tshark -G elastic-mapping,ip,udp,dns
tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
are both acceptable. (Perhaps the latter should be deprecated?)
Fix #17924
2024-09-15 00:27:26 -04:00
|
|
|
for char_arg in 'hv':
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_tshark, '-' + char_arg), env=test_env)
|
2023-06-13 17:12:26 +00:00
|
|
|
assert process.returncode == ExitCodes.OK
|
2018-04-02 17:12:23 -07:00
|
|
|
|
|
|
|
|
# XXX Should we generate individual test functions instead of looping?
|
2023-06-03 23:33:04 +01:00
|
|
|
def test_tshark_interface_chars(self, cmd_tshark, cmd_dumpcap, test_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
'''Valid tshark parameters requiring capture permissions'''
|
2025-01-03 14:10:26 -05:00
|
|
|
# These options require dumpcap, but may fail with a pcap error
|
|
|
|
|
# if Npcap is not present
|
2024-03-16 14:07:26 -04:00
|
|
|
valid_returns = [ExitCodes.OK, ExitCodes.PCAP_ERROR, ExitCodes.INVALID_CAPABILITY, ExitCodes.INVALID_INTERFACE]
|
2018-04-02 17:12:23 -07:00
|
|
|
for char_arg in 'DL':
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_tshark, '-' + char_arg), env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert process.returncode in valid_returns
|
2018-04-02 17:12:23 -07:00
|
|
|
|
2023-06-13 17:12:26 +00:00
|
|
|
def test_tshark_disable_protos(self, cmd_tshark, capture_file, test_env):
|
|
|
|
|
'''--disable-protocol/--enable-protocol from !16923'''
|
|
|
|
|
process = subprocesstest.run((cmd_tshark, "-r", capture_file("http.pcap"),
|
|
|
|
|
"--disable-protocol", "ALL",
|
|
|
|
|
"--enable-protocol", "eth,ip",
|
|
|
|
|
"-Tjson", "-eeth.type", "-eip.proto", "-ehttp.host",
|
|
|
|
|
), capture_output=True, env=test_env)
|
|
|
|
|
assert process.returncode == ExitCodes.OK
|
|
|
|
|
obj = json.loads(process.stdout)[0]['_source']['layers']
|
|
|
|
|
assert obj.get('eth.type', 'NOT FOUND') == ['0x0800']
|
|
|
|
|
assert obj.get('ip.proto', 'NOT FOUND') == ['6']
|
|
|
|
|
assert obj.get('http.host', 'NOT FOUND') == 'NOT FOUND'
|
|
|
|
|
|
2018-04-02 17:12:23 -07:00
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
class TestTsharkCaptureClopts:
|
|
|
|
|
def test_tshark_invalid_capfilter(self, cmd_tshark, capture_interface, result_file, test_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
'''Invalid capture filter'''
|
|
|
|
|
invalid_filter = '__invalid_protocol'
|
|
|
|
|
# $TSHARK -f 'jkghg' -w './testout.pcap' > ./testout.txt 2>&1
|
2023-05-08 07:32:58 +01:00
|
|
|
testout_file = result_file(testout_pcap)
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_tshark, '-f', invalid_filter, '-w', testout_file ), capture_output=True, env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(process.stderr, 'Invalid capture filter "' + invalid_filter + '" for interface')
|
2018-04-02 17:12:23 -07:00
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
def test_tshark_invalid_interface_name(self, cmd_tshark, capture_interface, result_file, test_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
'''Invalid capture interface name'''
|
|
|
|
|
invalid_interface = '__invalid_interface'
|
|
|
|
|
# $TSHARK -i invalid_interface -w './testout.pcap' > ./testout.txt 2>&1
|
2023-05-08 07:32:58 +01:00
|
|
|
testout_file = result_file(testout_pcap)
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_tshark, '-i', invalid_interface, '-w', testout_file), capture_output=True, env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(process.stderr, 'There is no device named "__invalid_interface"') or \
|
|
|
|
|
grep_output(process.stderr, 'The capture session could not be initiated on capture device "__invalid_interface"')
|
2018-04-02 17:12:23 -07:00
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
def test_tshark_invalid_interface_index(self, cmd_tshark, capture_interface, result_file, test_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
'''Invalid capture interface index'''
|
|
|
|
|
invalid_index = '0'
|
|
|
|
|
# $TSHARK -i 0 -w './testout.pcap' > ./testout.txt 2>&1
|
2023-05-08 07:32:58 +01:00
|
|
|
testout_file = result_file(testout_pcap)
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_tshark, '-i', invalid_index, '-w', testout_file), capture_output=True, env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(process.stderr, 'There is no interface with that adapter index')
|
2018-04-02 17:12:23 -07:00
|
|
|
|
|
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
class TestTsharkNameResolutionClopts:
|
|
|
|
|
def test_tshark_valid_name_resolution(self, cmd_tshark, capture_file, test_env):
|
2018-10-05 08:54:55 +02:00
|
|
|
# $TSHARK -N mnNtdv -a duration:1 > ./testout.txt 2>&1
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_tshark,
|
2021-12-02 10:05:25 -08:00
|
|
|
'-r', capture_file('empty.pcap'),
|
|
|
|
|
'-N', 'mnNtdv',
|
2023-06-03 23:33:04 +01:00
|
|
|
), env=test_env)
|
|
|
|
|
assert process.returncode == 0
|
2018-04-02 17:12:23 -07:00
|
|
|
|
|
|
|
|
# XXX Add invalid name resolution.
|
|
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
class TestTsharkUnicodeClopts:
|
|
|
|
|
def test_tshark_unicode_display_filter(self, cmd_tshark, capture_file, test_env):
|
2018-05-30 13:32:20 -07:00
|
|
|
'''Unicode (UTF-8) display filter'''
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_tshark, '-r', capture_file('http.pcap'), '-Y', 'tcp.flags.str == "·······AP···"'), capture_output=True, env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(process.stdout, 'HEAD.*/v4/iuident.cab')
|
2018-05-30 13:32:20 -07:00
|
|
|
|
|
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
class TestTsharkDumpGlossaries:
|
2018-11-13 02:17:33 +01:00
|
|
|
def test_tshark_dump_glossary(self, cmd_tshark, base_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
for glossary in glossaries:
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_tshark, '-G', glossary), capture_output=True, env=base_env)
|
|
|
|
|
assert not process.stderr, 'Found error output while printing glossary ' + glossary
|
2018-04-02 17:12:23 -07:00
|
|
|
|
2018-11-13 02:17:33 +01:00
|
|
|
def test_tshark_glossary_valid_utf8(self, cmd_tshark, base_env):
|
2018-04-02 17:12:23 -07:00
|
|
|
for glossary in glossaries:
|
2018-11-13 02:17:33 +01:00
|
|
|
env = base_env
|
2018-04-02 17:12:23 -07:00
|
|
|
env['LANG'] = 'en_US.UTF-8'
|
2023-06-06 19:40:24 +01:00
|
|
|
# subprocess.run() returns bytes here.
|
|
|
|
|
proc = subprocess.run((cmd_tshark, '-G', glossary), capture_output=True, env=env)
|
|
|
|
|
assert proc.returncode == 0
|
|
|
|
|
proc.stdout.decode('UTF-8')
|
2018-04-02 17:12:23 -07:00
|
|
|
|
2021-02-26 15:21:30 +00:00
|
|
|
def test_tshark_glossary_plugin_count(self, cmd_tshark, base_env, features):
|
|
|
|
|
if not features.have_plugins:
|
2023-06-03 23:33:04 +01:00
|
|
|
pytest.skip('Test requires binary plugin support.')
|
2023-06-06 19:40:24 +01:00
|
|
|
process = subprocesstest.run((cmd_tshark, '-G', 'plugins'), capture_output=True, env=base_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert count_output(process.stdout, 'dissector') >= 10, 'Fewer than 10 dissector plugins found'
|
2018-04-02 17:12:23 -07:00
|
|
|
|
2018-11-20 02:47:36 +01:00
|
|
|
def test_tshark_elastic_mapping(self, cmd_tshark, dirs, base_env):
|
|
|
|
|
def get_ip_props(obj):
|
2022-03-13 21:30:01 +01:00
|
|
|
return obj['mappings']['properties']['layers']['properties']['ip']['properties']
|
2018-11-20 02:47:36 +01:00
|
|
|
baseline_file = os.path.join(dirs.baseline_dir, 'elastic-mapping-ip-subset.json')
|
|
|
|
|
with open(baseline_file) as f:
|
|
|
|
|
expected_obj = json.load(f)
|
|
|
|
|
keys_to_check = get_ip_props(expected_obj).keys()
|
2023-06-06 19:40:24 +01:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-G', 'elastic-mapping', '--elastic-mapping-filter', 'ip'), capture_output=True, env=base_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
actual_obj = json.loads(proc.stdout)
|
2018-11-20 02:47:36 +01:00
|
|
|
ip_props = get_ip_props(actual_obj)
|
|
|
|
|
for key in list(ip_props.keys()):
|
|
|
|
|
if key not in keys_to_check:
|
|
|
|
|
del ip_props[key]
|
2023-06-03 23:33:04 +01:00
|
|
|
assert actual_obj == expected_obj
|
2018-11-20 02:47:36 +01:00
|
|
|
|
2019-01-28 21:09:46 +02:00
|
|
|
def test_tshark_unicode_folders(self, cmd_tshark, unicode_env, features):
|
2018-12-20 23:25:23 +01:00
|
|
|
'''Folders output with unicode'''
|
2019-01-28 21:09:46 +02:00
|
|
|
if not features.have_lua:
|
2023-06-03 23:33:04 +01:00
|
|
|
pytest.skip('Test requires Lua scripting support.')
|
2023-01-15 19:52:21 +00:00
|
|
|
if sys.platform == 'win32' and not features.have_lua_unicode:
|
2023-06-03 23:33:04 +01:00
|
|
|
pytest.skip('Test requires a patched Lua build with UTF-8 support.')
|
2023-06-06 19:40:24 +01:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-G', 'folders'), capture_output=True, env=unicode_env.env)
|
2023-06-03 23:33:04 +01:00
|
|
|
out = proc.stdout
|
2018-12-20 23:25:23 +01:00
|
|
|
pluginsdir = [x.split('\t', 1)[1] for x in out.splitlines() if x.startswith('Personal Lua Plugins:')]
|
2023-06-03 23:33:04 +01:00
|
|
|
assert [unicode_env.pluginsdir] == pluginsdir
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class TestTsharkZExpert:
|
|
|
|
|
def test_tshark_z_expert_all(self, cmd_tshark, capture_file, test_env):
|
2023-06-06 19:40:24 +01:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-q', '-z', 'expert',
|
2023-09-08 09:27:11 -04:00
|
|
|
'-o', 'tcp.check_checksum:TRUE',
|
TCP, UDP: Calculate partial (pseudo header) checksums for offload
Linux and Windows, at least, when performing Local Checksum Offload
during Generic Segmentation Offload and at other times, place the one's
complement sum of the pseudo header in the checksum field, which
provides the necessary correction when a device (or its driver,
if not supported in hardware) computes the one's complement checksum
of each inner layer buffer in the skbuff. (This is why GSO requires
equal length buffers - so that the pseudo header contribution to
the checksum is the same.)
When performing our Internet checksum calculation, we can output
the partial sum of all but the last vector, which is an intermediate
result we calculate in the process anyway. The last vector is
generally the payload, and the previous vectors are for the pseudo
header. We can then compare this partial sum to the value in the
UDP or TCP header if the overall computed checksum isn't 0.
If it matches appropriately, we can have a more informative and
less scary message.
Update the tests a bit because this causes checksums to no longer
fail and be reported malformed in the http2 reassembly example.
Fix #18864. Related to #19109
2023-11-09 11:51:43 -05:00
|
|
|
'-r', capture_file('http-ooo-fuzzed.pcapng')), capture_output=True, env=test_env)
|
2023-09-08 09:27:11 -04:00
|
|
|
# http2-data-reassembly.pcap has Errors, Warnings, Notes, and Chats
|
|
|
|
|
# when TCP checksum are verified.
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(proc.stdout, 'Errors')
|
|
|
|
|
assert grep_output(proc.stdout, 'Warns')
|
2023-09-08 09:27:11 -04:00
|
|
|
assert grep_output(proc.stdout, 'Notes')
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(proc.stdout, 'Chats')
|
|
|
|
|
|
|
|
|
|
def test_tshark_z_expert_error(self, cmd_tshark, capture_file, test_env):
|
2023-06-06 19:40:24 +01:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-q', '-z', 'expert,error',
|
2023-09-08 09:27:11 -04:00
|
|
|
'-o', 'tcp.check_checksum:TRUE',
|
TCP, UDP: Calculate partial (pseudo header) checksums for offload
Linux and Windows, at least, when performing Local Checksum Offload
during Generic Segmentation Offload and at other times, place the one's
complement sum of the pseudo header in the checksum field, which
provides the necessary correction when a device (or its driver,
if not supported in hardware) computes the one's complement checksum
of each inner layer buffer in the skbuff. (This is why GSO requires
equal length buffers - so that the pseudo header contribution to
the checksum is the same.)
When performing our Internet checksum calculation, we can output
the partial sum of all but the last vector, which is an intermediate
result we calculate in the process anyway. The last vector is
generally the payload, and the previous vectors are for the pseudo
header. We can then compare this partial sum to the value in the
UDP or TCP header if the overall computed checksum isn't 0.
If it matches appropriately, we can have a more informative and
less scary message.
Update the tests a bit because this causes checksums to no longer
fail and be reported malformed in the http2 reassembly example.
Fix #18864. Related to #19109
2023-11-09 11:51:43 -05:00
|
|
|
'-r', capture_file('http-ooo-fuzzed.pcapng')), capture_output=True, env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(proc.stdout, 'Errors')
|
|
|
|
|
assert not grep_output(proc.stdout, 'Warns')
|
2023-09-08 09:27:11 -04:00
|
|
|
assert not grep_output(proc.stdout, 'Notes')
|
2023-06-03 23:33:04 +01:00
|
|
|
assert not grep_output(proc.stdout, 'Chats')
|
|
|
|
|
|
|
|
|
|
def test_tshark_z_expert_warn(self, cmd_tshark, capture_file, test_env):
|
2023-06-06 19:40:24 +01:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-q', '-z', 'expert,warn',
|
2023-09-08 09:27:11 -04:00
|
|
|
'-o', 'tcp.check_checksum:TRUE',
|
TCP, UDP: Calculate partial (pseudo header) checksums for offload
Linux and Windows, at least, when performing Local Checksum Offload
during Generic Segmentation Offload and at other times, place the one's
complement sum of the pseudo header in the checksum field, which
provides the necessary correction when a device (or its driver,
if not supported in hardware) computes the one's complement checksum
of each inner layer buffer in the skbuff. (This is why GSO requires
equal length buffers - so that the pseudo header contribution to
the checksum is the same.)
When performing our Internet checksum calculation, we can output
the partial sum of all but the last vector, which is an intermediate
result we calculate in the process anyway. The last vector is
generally the payload, and the previous vectors are for the pseudo
header. We can then compare this partial sum to the value in the
UDP or TCP header if the overall computed checksum isn't 0.
If it matches appropriately, we can have a more informative and
less scary message.
Update the tests a bit because this causes checksums to no longer
fail and be reported malformed in the http2 reassembly example.
Fix #18864. Related to #19109
2023-11-09 11:51:43 -05:00
|
|
|
'-r', capture_file('http-ooo-fuzzed.pcapng')), capture_output=True, env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(proc.stdout, 'Errors')
|
|
|
|
|
assert grep_output(proc.stdout, 'Warns')
|
2023-09-08 09:27:11 -04:00
|
|
|
assert not grep_output(proc.stdout, 'Notes')
|
2023-06-03 23:33:04 +01:00
|
|
|
assert not grep_output(proc.stdout, 'Chats')
|
|
|
|
|
|
|
|
|
|
def test_tshark_z_expert_note(self, cmd_tshark, capture_file, test_env):
|
2023-06-06 19:40:24 +01:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-q', '-z', 'expert,note',
|
2023-09-08 09:27:11 -04:00
|
|
|
'-o', 'tcp.check_checksum:TRUE',
|
TCP, UDP: Calculate partial (pseudo header) checksums for offload
Linux and Windows, at least, when performing Local Checksum Offload
during Generic Segmentation Offload and at other times, place the one's
complement sum of the pseudo header in the checksum field, which
provides the necessary correction when a device (or its driver,
if not supported in hardware) computes the one's complement checksum
of each inner layer buffer in the skbuff. (This is why GSO requires
equal length buffers - so that the pseudo header contribution to
the checksum is the same.)
When performing our Internet checksum calculation, we can output
the partial sum of all but the last vector, which is an intermediate
result we calculate in the process anyway. The last vector is
generally the payload, and the previous vectors are for the pseudo
header. We can then compare this partial sum to the value in the
UDP or TCP header if the overall computed checksum isn't 0.
If it matches appropriately, we can have a more informative and
less scary message.
Update the tests a bit because this causes checksums to no longer
fail and be reported malformed in the http2 reassembly example.
Fix #18864. Related to #19109
2023-11-09 11:51:43 -05:00
|
|
|
'-r', capture_file('http-ooo-fuzzed.pcapng')), capture_output=True, env=test_env)
|
2023-09-08 09:27:11 -04:00
|
|
|
assert grep_output(proc.stdout, 'Errors')
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(proc.stdout, 'Warns')
|
|
|
|
|
assert grep_output(proc.stdout, 'Notes')
|
|
|
|
|
assert not grep_output(proc.stdout, 'Chats')
|
|
|
|
|
|
|
|
|
|
def test_tshark_z_expert_chat(self, cmd_tshark, capture_file, test_env):
|
2023-06-06 19:40:24 +01:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-q', '-z', 'expert,chat',
|
2023-09-08 09:27:11 -04:00
|
|
|
'-o', 'tcp.check_checksum:TRUE',
|
TCP, UDP: Calculate partial (pseudo header) checksums for offload
Linux and Windows, at least, when performing Local Checksum Offload
during Generic Segmentation Offload and at other times, place the one's
complement sum of the pseudo header in the checksum field, which
provides the necessary correction when a device (or its driver,
if not supported in hardware) computes the one's complement checksum
of each inner layer buffer in the skbuff. (This is why GSO requires
equal length buffers - so that the pseudo header contribution to
the checksum is the same.)
When performing our Internet checksum calculation, we can output
the partial sum of all but the last vector, which is an intermediate
result we calculate in the process anyway. The last vector is
generally the payload, and the previous vectors are for the pseudo
header. We can then compare this partial sum to the value in the
UDP or TCP header if the overall computed checksum isn't 0.
If it matches appropriately, we can have a more informative and
less scary message.
Update the tests a bit because this causes checksums to no longer
fail and be reported malformed in the http2 reassembly example.
Fix #18864. Related to #19109
2023-11-09 11:51:43 -05:00
|
|
|
'-r', capture_file('http-ooo-fuzzed.pcapng')), capture_output=True, env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(proc.stdout, 'Errors')
|
|
|
|
|
assert grep_output(proc.stdout, 'Warns')
|
2023-09-08 09:27:11 -04:00
|
|
|
assert grep_output(proc.stdout, 'Notes')
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(proc.stdout, 'Chats')
|
|
|
|
|
|
|
|
|
|
def test_tshark_z_expert_comment(self, cmd_tshark, capture_file, test_env):
|
2023-06-06 19:40:24 +01:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-q', '-z', 'expert,comment',
|
|
|
|
|
'-r', capture_file('sip.pcapng')), capture_output=True, env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert grep_output(proc.stdout, 'Notes')
|
|
|
|
|
assert grep_output(proc.stdout, 'Comments')
|
|
|
|
|
|
|
|
|
|
def test_tshark_z_expert_invalid_filter(self, cmd_tshark, capture_file, test_env):
|
2018-11-07 21:33:41 +02:00
|
|
|
invalid_filter = '__invalid_protocol'
|
2023-06-06 19:40:24 +01:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-q', '-z', 'expert,' + invalid_filter,
|
|
|
|
|
'-r', capture_file('http-ooo.pcap')), capture_output=True, env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert proc.returncode == ExitCodes.COMMAND_LINE
|
2025-04-18 13:24:27 +00:00
|
|
|
assert grep_output(proc.stderr, 'Filter "' + invalid_filter + '" is invalid')
|
2018-11-07 21:33:41 +02:00
|
|
|
|
2023-06-03 23:33:04 +01:00
|
|
|
def test_tshark_z_expert_error_invalid_filter(self, cmd_tshark, capture_file, test_env):
|
2018-11-07 21:33:41 +02:00
|
|
|
invalid_filter = '__invalid_protocol'
|
2023-06-06 19:40:24 +01:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-q', '-z', 'expert,error,' + invalid_filter,
|
|
|
|
|
'-r', capture_file('http-ooo.pcap')), capture_output=True, env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert proc.returncode == ExitCodes.COMMAND_LINE
|
2025-04-18 13:24:27 +00:00
|
|
|
assert grep_output(proc.stderr, 'Filter "' + invalid_filter + '" is invalid')
|
2023-06-03 23:33:04 +01:00
|
|
|
|
|
|
|
|
def test_tshark_z_expert_filter(self, cmd_tshark, capture_file, test_env):
|
2023-09-08 09:27:11 -04:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-q', '-z', 'expert,udp',
|
|
|
|
|
'-o', 'tcp.check_checksum:TRUE',
|
TCP, UDP: Calculate partial (pseudo header) checksums for offload
Linux and Windows, at least, when performing Local Checksum Offload
during Generic Segmentation Offload and at other times, place the one's
complement sum of the pseudo header in the checksum field, which
provides the necessary correction when a device (or its driver,
if not supported in hardware) computes the one's complement checksum
of each inner layer buffer in the skbuff. (This is why GSO requires
equal length buffers - so that the pseudo header contribution to
the checksum is the same.)
When performing our Internet checksum calculation, we can output
the partial sum of all but the last vector, which is an intermediate
result we calculate in the process anyway. The last vector is
generally the payload, and the previous vectors are for the pseudo
header. We can then compare this partial sum to the value in the
UDP or TCP header if the overall computed checksum isn't 0.
If it matches appropriately, we can have a more informative and
less scary message.
Update the tests a bit because this causes checksums to no longer
fail and be reported malformed in the http2 reassembly example.
Fix #18864. Related to #19109
2023-11-09 11:51:43 -05:00
|
|
|
'-r', capture_file('http-ooo-fuzzed.pcapng')), capture_output=True, env=test_env)
|
2023-09-08 09:27:11 -04:00
|
|
|
# Filtering for UDP should produce no expert infos.
|
2023-06-03 23:33:04 +01:00
|
|
|
assert not grep_output(proc.stdout, 'Errors')
|
|
|
|
|
assert not grep_output(proc.stdout, 'Warns')
|
2023-09-08 09:27:11 -04:00
|
|
|
assert not grep_output(proc.stdout, 'Notes')
|
2023-06-03 23:33:04 +01:00
|
|
|
assert not grep_output(proc.stdout, 'Chats')
|
|
|
|
|
|
|
|
|
|
def test_tshark_z_expert_error_filter(self, cmd_tshark, capture_file, test_env):
|
TCP, UDP: Calculate partial (pseudo header) checksums for offload
Linux and Windows, at least, when performing Local Checksum Offload
during Generic Segmentation Offload and at other times, place the one's
complement sum of the pseudo header in the checksum field, which
provides the necessary correction when a device (or its driver,
if not supported in hardware) computes the one's complement checksum
of each inner layer buffer in the skbuff. (This is why GSO requires
equal length buffers - so that the pseudo header contribution to
the checksum is the same.)
When performing our Internet checksum calculation, we can output
the partial sum of all but the last vector, which is an intermediate
result we calculate in the process anyway. The last vector is
generally the payload, and the previous vectors are for the pseudo
header. We can then compare this partial sum to the value in the
UDP or TCP header if the overall computed checksum isn't 0.
If it matches appropriately, we can have a more informative and
less scary message.
Update the tests a bit because this causes checksums to no longer
fail and be reported malformed in the http2 reassembly example.
Fix #18864. Related to #19109
2023-11-09 11:51:43 -05:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-q', '-z', 'expert,note,http', # tls is a filter
|
2023-09-08 09:27:11 -04:00
|
|
|
'-o', 'tcp.check_checksum:TRUE',
|
TCP, UDP: Calculate partial (pseudo header) checksums for offload
Linux and Windows, at least, when performing Local Checksum Offload
during Generic Segmentation Offload and at other times, place the one's
complement sum of the pseudo header in the checksum field, which
provides the necessary correction when a device (or its driver,
if not supported in hardware) computes the one's complement checksum
of each inner layer buffer in the skbuff. (This is why GSO requires
equal length buffers - so that the pseudo header contribution to
the checksum is the same.)
When performing our Internet checksum calculation, we can output
the partial sum of all but the last vector, which is an intermediate
result we calculate in the process anyway. The last vector is
generally the payload, and the previous vectors are for the pseudo
header. We can then compare this partial sum to the value in the
UDP or TCP header if the overall computed checksum isn't 0.
If it matches appropriately, we can have a more informative and
less scary message.
Update the tests a bit because this causes checksums to no longer
fail and be reported malformed in the http2 reassembly example.
Fix #18864. Related to #19109
2023-11-09 11:51:43 -05:00
|
|
|
'-r', capture_file('http-ooo-fuzzed.pcapng')), capture_output=True, env=test_env)
|
|
|
|
|
# Filtering for HTTP and Note level expert info should produce only
|
|
|
|
|
# Error and Warning level expert infos with checksumming turned on.
|
|
|
|
|
# The Note warnings on are packets with TCP but not HTTP, and we're
|
|
|
|
|
# filtering out the Chat level.
|
2023-09-08 09:27:11 -04:00
|
|
|
assert grep_output(proc.stdout, 'Errors')
|
TCP, UDP: Calculate partial (pseudo header) checksums for offload
Linux and Windows, at least, when performing Local Checksum Offload
during Generic Segmentation Offload and at other times, place the one's
complement sum of the pseudo header in the checksum field, which
provides the necessary correction when a device (or its driver,
if not supported in hardware) computes the one's complement checksum
of each inner layer buffer in the skbuff. (This is why GSO requires
equal length buffers - so that the pseudo header contribution to
the checksum is the same.)
When performing our Internet checksum calculation, we can output
the partial sum of all but the last vector, which is an intermediate
result we calculate in the process anyway. The last vector is
generally the payload, and the previous vectors are for the pseudo
header. We can then compare this partial sum to the value in the
UDP or TCP header if the overall computed checksum isn't 0.
If it matches appropriately, we can have a more informative and
less scary message.
Update the tests a bit because this causes checksums to no longer
fail and be reported malformed in the http2 reassembly example.
Fix #18864. Related to #19109
2023-11-09 11:51:43 -05:00
|
|
|
assert grep_output(proc.stdout, 'Warns')
|
2023-09-08 09:27:11 -04:00
|
|
|
assert not grep_output(proc.stdout, 'Notes')
|
2023-06-03 23:33:04 +01:00
|
|
|
assert not grep_output(proc.stdout, 'Chats')
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class TestTsharkExtcap:
|
2019-04-14 20:42:33 +02:00
|
|
|
# dumpcap dependency has been added to run this test only with capture support
|
2019-04-19 01:51:03 +01:00
|
|
|
def test_tshark_extcap_interfaces(self, cmd_tshark, cmd_dumpcap, test_env, home_path):
|
2019-04-06 00:29:51 +02:00
|
|
|
# Script extcaps don't work with the current code on windows.
|
|
|
|
|
# https://www.wireshark.org/docs/wsdg_html_chunked/ChCaptureExtcap.html
|
|
|
|
|
# TODO: skip this test until it will get fixed.
|
|
|
|
|
if sys.platform == 'win32':
|
2023-06-03 23:33:04 +01:00
|
|
|
pytest.skip('FIXME extcap .py scripts needs special treatment on Windows')
|
2024-08-31 07:51:50 -04:00
|
|
|
# Various guides and vulnerability scanners recommend setting /tmp noexec.
|
|
|
|
|
# If our temp path is such, the extcap script won't work.
|
|
|
|
|
try:
|
|
|
|
|
if os.statvfs(home_path).f_flag & os.ST_NOEXEC:
|
|
|
|
|
pytest.skip('Test requires temp directory to allow execution')
|
|
|
|
|
except AttributeError:
|
|
|
|
|
# Most Linux and NetBSD have ST_NOEXEC; Darwin and other *BSDs don't.
|
|
|
|
|
pass
|
2025-01-27 20:21:46 -05:00
|
|
|
source_file = os.path.join(os.path.dirname(__file__), 'sampleif.py')
|
|
|
|
|
# If the git config core.fileMode is set to false, then the execute bit
|
|
|
|
|
# won't be set. Respect the security policy rather than overriding it.
|
|
|
|
|
if not os.access(home_path, os.X_OK):
|
|
|
|
|
pytest.skip('Test requires execute permission for sampleif.py (is git config core.fileMode false?)')
|
2019-04-19 01:51:03 +01:00
|
|
|
extcap_dir_path = os.path.join(home_path, 'extcap')
|
|
|
|
|
os.makedirs(extcap_dir_path)
|
|
|
|
|
test_env['WIRESHARK_EXTCAP_DIR'] = extcap_dir_path
|
2023-12-01 15:10:07 -08:00
|
|
|
# We run our tests in a bare, reproducible home environment. This can result in an
|
|
|
|
|
# invalid or missing Python interpreter if our main environment has a wonky Python
|
|
|
|
|
# path, as is the case in the GitLab SaaS macOS runners which use `asdf`. Force
|
|
|
|
|
# sampleif.py to use our current Python executable.
|
|
|
|
|
with open(source_file, 'r') as sf:
|
|
|
|
|
sampleif_py = sf.read()
|
|
|
|
|
sampleif_py = sampleif_py.replace('/usr/bin/env python3', sys.executable)
|
|
|
|
|
sys.stderr.write(sampleif_py)
|
|
|
|
|
extcap_file = os.path.join(extcap_dir_path, 'sampleif.py')
|
|
|
|
|
with open(extcap_file, 'w') as ef:
|
|
|
|
|
ef.write(sampleif_py)
|
|
|
|
|
os.fchmod(ef.fileno(), os.fstat(sf.fileno()).st_mode)
|
|
|
|
|
|
2019-04-06 00:29:51 +02:00
|
|
|
# Ensure the test extcap_tool is properly loaded
|
2023-06-06 19:40:24 +01:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-D'), capture_output=True, env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert count_output(proc.stdout, 'sampleif') == 1
|
2019-04-06 00:29:51 +02:00
|
|
|
# Ensure tshark lists 2 interfaces in the preferences
|
2023-06-06 19:40:24 +01:00
|
|
|
proc = subprocesstest.run((cmd_tshark, '-G', 'currentprefs'), capture_output=True, env=test_env)
|
2023-06-03 23:33:04 +01:00
|
|
|
assert count_output(proc.stdout, 'extcap.sampleif.test') == 2
|
