Skip to content

Commit

Permalink
Handle searching for ip 255.255.255.255 (issue arkime#301)
Browse files Browse the repository at this point in the history
  • Loading branch information
@awick
awick committed Oct 31, 2014
1 parent a760d81 commit 36e6012
Show file tree
Hide file tree
Showing 6 changed files with 180 additions and 69 deletions.
1 change: 1 addition & 0 deletions CHANGELOG
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
- More SMB1 parsing
- More TLS cipherso
- Major viewer test suite restructure and improvements
- Handle searching for ip 255.255.255.255 (issue #301)


0.11.2 2014/10/16
Expand Down
23 changes: 22 additions & 1 deletion tests/general.t
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use Test::More tests => 477;
use Test::More tests => 509;
use Cwd;
use URI::Escape;
use MolochTest;
Expand Down Expand Up @@ -87,6 +87,7 @@ my $pwd = getcwd() . "/pcap";
countTest(2, "date=-1&expression=" . uri_escape("file=$pwd/bt-udp.pcap&&rir.src!=/tes.*/"));
countTest(2, "date=-1&expression=" . uri_escape("(file=$pwd/bt-udp.pcap||file=$pwd/smtp-starttls.pcap)&&rir==[TEST,ARIN]"));
countTest(2, "date=-1&expression=" . uri_escape("(file=$pwd/bt-udp.pcap||file=$pwd/smtp-starttls.pcap)&&rir==[TEST,ARIN,BADRIR]"));

# ip tests
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/bt-udp.pcap&&ip.src=10.0.0.2"));
countTest(2, "date=-1&expression=" . uri_escape("file=$pwd/bt-udp.pcap&&ip.src!=10.0.0.2"));
Expand All @@ -103,6 +104,26 @@ my $pwd = getcwd() . "/pcap";
countTest(2, "date=-1&expression=" . uri_escape("file=$pwd/bt-udp.pcap&&ip.dst=[10.0.0.1,10.0.0.3]"));
countTest(2, "date=-1&expression=" . uri_escape("file=$pwd/bt-udp.pcap&&ip.dst=[10.0.0.1/32,10.0.0.3/32]"));
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/bt-udp.pcap&&ip=[10.0.0.1/32]"));

# ip boundary tests
countTest(0, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.src=0.0.0.0"));
countTest(0, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.src=255.255.255.254"));
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.src=255.255.255.255"));
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.src=255.255.255/24"));
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.src=255.255.255.255:50759"));
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.src=[255.255.255.255:50759]"));
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.src=255.255.255/24:50759"));
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.src=:50759"));

countTest(0, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.dst=255.255.255.255"));
countTest(0, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.dst=0.0.0.1"));
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.dst=0.0.0.0"));
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.dst=0.0.0/24"));
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.dst=0.0.0.0:3207"));
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.dst=[0.0.0.0:3207]"));
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.dst=0.0.0/24:3207"));
countTest(1, "date=-1&expression=" . uri_escape("file=$pwd/ip-boundaries.pcap&&ip.dst=:3207"));

# ip.protocol
countTest(0, "date=-1&expression=" . uri_escape("(file=$pwd/bt-udp.pcap||file=$pwd/bt-tcp.pcap)&&ip.protocol=1"));
countTest(1, "date=-1&expression=" . uri_escape("(file=$pwd/bt-udp.pcap||file=$pwd/bt-tcp.pcap)&&ip.protocol=6"));
Expand Down
Binary file added tests/pcap/ip-boundaries.pcap
View file
Binary file not shown.
60 changes: 60 additions & 0 deletions tests/pcap/ip-boundaries.test
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
{
"packets" : [
{
"body" : {
"db2" : 0,
"db" : 137,
"mac2-term" : [
"00:10:db:ff:26:00"
],
"no" : "test",
"lp" : 1387253713,
"a2" : "0.0.0.0",
"ss" : 1,
"ta" : [
"node:test",
"protocol:bittorrent",
"udp"
],
"pa1" : 1,
"fpd" : 1387253713030,
"fs" : [],
"by2" : 0,
"pa2" : 0,
"p1" : 50759,
"by" : 145,
"pr" : 17,
"ps" : [
103
],
"prot-term-cnt" : 2,
"lpd" : 1387253713030,
"fp" : 1387253713,
"pa" : 1,
"sl" : 0,
"fb1" : "64313a6164323a69",
"tacnt" : 3,
"a1" : "255.255.255.255",
"db1" : 137,
"by1" : 145,
"mac2-term-cnt" : 1,
"p2" : 3207,
"mac1-term-cnt" : 1,
"prot-term" : [
"udp",
"bittorrent"
],
"mac1-term" : [
"78:fe:3d:11:21:f2"
]
},
"header" : {
"index" : {
"_index" : "tests_sessions-131217",
"_type" : "session"
}
}
}
]
}

15 changes: 9 additions & 6 deletions viewer/molochparser.jison
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ function parseIpPort(yy, field, ipPortStr) {
function singleIp(dbField, ip1, ip2, port) {
var obj;
if (ip1 !== -1) {
if (ip1 !== undefined) {
if (ip1 === ip2) {
obj = {term: {}};
obj.term[dbField] = ip1>>>0;
Expand All @@ -109,7 +109,7 @@ function parseIpPort(yy, field, ipPortStr) {
throw field + " doesn't support port";
}
if (ip1 === -1) {
if (ip1 === undefined) {
obj = obj.bool.must[1];
}
}
Expand All @@ -133,7 +133,7 @@ function parseIpPort(yy, field, ipPortStr) {
// Support '10.10.10/16:4321'
var ip1 = -1, ip2 = -1;
var ip1, ip2;
var colons = ipPortStr.split(':');
var slash = colons[0].split('/');
var dots = slash[0].split('.');
Expand All @@ -157,9 +157,12 @@ function parseIpPort(yy, field, ipPortStr) {
// Can't shift by 32 bits in javascript, who knew!
if (slash[1] && slash[1] !== '32') {
var s = parseInt(slash[1], 10);
ip1 = ip1 & (0xffffffff << (32 - s));
ip2 = ip2 | (0xffffffff >>> s);
if (ip1 === undefined) {
ip1 = ip2 = 0xffffffff;
}
var s = parseInt(slash[1], 10);
ip1 = ip1 & (0xffffffff << (32 - s));
ip2 = ip2 | (0xffffffff >>> s);
}
if (dbField !== "ipall") {
Expand Down
Loading

0 comments on commit 36e6012

Please sign in to comment.