#include #include #include #include #include #include #include #include #include #include #include #include "session_flags_internal.h" #include "gtest/gtest.h" extern "C" { #include "dummy.h" } #define MAC_FRAME_HEADER_LEN 14 #define IP_HEADER_LEN 20 #define TCP_HEADER_LEN 20 #define UDP_HEADER_LEN 8 #define LINUX_COOKED_CAPTURE 20 struct pcap_loop_arg { pcap_t *pcap_handle; struct session_flags_ctx *ctx; }; struct session_flags_plugin_info *sf_plugin_info = NULL; extern int MESA_dir_link_to_human(int link_route_dir); extern char *session_flags_generate_firewall_message(uint64_t flags, uint32_t identify[session_flags_all_mask]); static inline size_t ts2ms(const timeval *ts) { return ts->tv_sec * 1000 + ts->tv_usec / 1000; } static void pcap_handle_cb(pcap_loop_arg *userarg, const struct pcap_pkthdr *pkthdr, const u_char *packet) { struct pcap_loop_arg *arg = (struct pcap_loop_arg *)userarg; struct session sess; int payload_len = 0; char *payload = NULL; unsigned short sport, dport; unsigned short eth_proto_type; unsigned char *ip_header; int topic_id = 0; memset(&sess, 0, sizeof(sess)); int data_link_type = pcap_datalink(arg->pcap_handle); switch (data_link_type) { case DLT_EN10MB: eth_proto_type = ntohs(*(unsigned short *)(packet + 12)); ip_header = (unsigned char *)(packet + sizeof(struct ethhdr)); break; case 276://DLT_LINUX_SLL2 eth_proto_type = ntohs(*(unsigned short *)packet); ip_header = (unsigned char *)(packet + LINUX_COOKED_CAPTURE); break; default: return; } if (eth_proto_type == ETH_P_IP) { int l4_proto = *(unsigned char *)(ip_header + 9); if (l4_proto == IPPROTO_TCP) { topic_id = DUMMY_TCP_TOPIC_ID; int ip_total_len = ntohs(*(unsigned short *)(ip_header + 2)); int ip_header_len = (*(unsigned char *)ip_header & 0x0f) * 4; int tcp_header_len = 4 * ((*(unsigned char *)(ip_header + sizeof(iphdr) + 12) & 0xf0) >> 4); payload_len = ip_total_len - ip_header_len - tcp_header_len; payload = (char *)ip_header + ip_header_len + tcp_header_len; } else if (l4_proto == IPPROTO_UDP) { topic_id = DUMMY_UDP_TOPIC_ID; payload_len = pkthdr->caplen - (ip_header - packet) - sizeof(iphdr) - sizeof(struct udphdr); payload = (char *)ip_header + sizeof(iphdr) + sizeof(struct udphdr); } else { return; } sport = ntohs(*(unsigned short *)(ip_header + sizeof(iphdr) + 0)); dport = ntohs(*(unsigned short *)(ip_header + sizeof(iphdr) + 2)); } else if (eth_proto_type == ETH_P_IPV6) { int l4_proto = *(unsigned char *)(ip_header + 6); if (l4_proto == IPPROTO_TCP) { topic_id = DUMMY_TCP_TOPIC_ID; int tcp_header_len = 4 * ((*(unsigned char *)(ip_header + sizeof(struct ip6_hdr) + 12) & 0xf0) >> 4); payload_len = pkthdr->caplen - (ip_header - packet) - sizeof(struct ip6_hdr) - tcp_header_len; payload = (char *)ip_header + sizeof(struct ip6_hdr) + tcp_header_len; } else if (l4_proto == IPPROTO_UDP) { topic_id = DUMMY_UDP_TOPIC_ID; payload_len = pkthdr->caplen - (ip_header - packet) - sizeof(struct ip6_hdr) - sizeof(struct udphdr); payload = (char *)ip_header + sizeof(struct ip6_hdr) + sizeof(struct udphdr); } else { return; } sport = ntohs(*(unsigned short *)(ip_header + sizeof(struct ip6_hdr) + 0)); dport = ntohs(*(unsigned short *)(ip_header + sizeof(struct ip6_hdr) + 2)); } else { return; } session_set_current_payload(&sess, payload, payload_len); if (sport > dport) { session_flags(sf_plugin_info, arg->ctx, &sess, topic_id, pkthdr->caplen, FLOW_TYPE_C2S, ts2ms(&pkthdr->ts)); } else { session_flags(sf_plugin_info, arg->ctx, &sess, topic_id, pkthdr->caplen, FLOW_TYPE_S2C, ts2ms(&pkthdr->ts)); } } TEST(session_flags, bulky_and_download) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_BULKY, SESSION_FLAGS_BULKY); EXPECT_EQ(flags_info->identify[session_flags_bulky_mask], 2333); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_DOWNLOAD, SESSION_FLAGS_DOWNLOAD); EXPECT_EQ(flags_info->identify[session_flags_download_mask], 2333); pcap_close(handle); free(ctx); } TEST(session_flags, CBR) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t * handle = pcap_open_offline("pcap/youtube-quic.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_CBR, SESSION_FLAGS_CBR); EXPECT_EQ(flags_info->identify[session_flags_cbr_mask], 3351); pcap_close(handle); free(ctx); } TEST(session_flags, not_CBR_ftp) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_NE(flags_info->flags & SESSION_FLAGS_CBR, SESSION_FLAGS_CBR); pcap_close(handle); free(ctx); } TEST(session_flags, not_CBR_dtls) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t * handle = pcap_open_offline("pcap/bilibili-dtls.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_NE(flags_info->flags & SESSION_FLAGS_CBR, SESSION_FLAGS_CBR); pcap_close(handle); free(ctx); } TEST(session_flags, server_is_local) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); // session_flags_ip(sf, inet_addr("192.168.1.1"), inet_addr("127.0.0.1"), inet_addr("192.168.1.1")); pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_INBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_LOCAL_SERVER, SESSION_FLAGS_LOCAL_SERVER); EXPECT_EQ(flags_info->identify[session_flags_local_server_mask], 1); EXPECT_NE(flags_info->flags & SESSION_FLAGS_LOCAL_CLIENT, SESSION_FLAGS_LOCAL_CLIENT); pcap_close(handle); free(ctx); } TEST(session_flags, client_is_local) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_NE(flags_info->flags & SESSION_FLAGS_LOCAL_SERVER, SESSION_FLAGS_LOCAL_SERVER); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_LOCAL_CLIENT, SESSION_FLAGS_LOCAL_CLIENT); EXPECT_EQ(flags_info->identify[session_flags_local_client_mask], 1); pcap_close(handle); free(ctx); } TEST(session_flags, inbound) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_LOCAL_CLIENT, SESSION_FLAGS_LOCAL_CLIENT); EXPECT_EQ(flags_info->identify[session_flags_local_client_mask], 1); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_INBOUND, SESSION_FLAGS_INBOUND); EXPECT_EQ(flags_info->identify[session_flags_inbound_mask], 1834); EXPECT_NE(flags_info->flags & SESSION_FLAGS_OUTBOUND, SESSION_FLAGS_OUTBOUND); EXPECT_NE(flags_info->flags & SESSION_FLAGS_LOCAL_SERVER, SESSION_FLAGS_LOCAL_SERVER); pcap_close(handle); free(ctx); } TEST(session_flags, outbound) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_INBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_LOCAL_SERVER, SESSION_FLAGS_LOCAL_SERVER); EXPECT_EQ(flags_info->identify[session_flags_local_server_mask], 1); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_OUTBOUND, SESSION_FLAGS_OUTBOUND); EXPECT_EQ(flags_info->identify[session_flags_outbound_mask], 1834); EXPECT_NE(flags_info->flags & SESSION_FLAGS_LOCAL_CLIENT, SESSION_FLAGS_LOCAL_CLIENT); EXPECT_NE(flags_info->flags & SESSION_FLAGS_INBOUND, SESSION_FLAGS_INBOUND); pcap_close(handle); free(ctx); } TEST(session_flags, not_streaming) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t * handle = pcap_open_offline("pcap/1-dtls.192.168.44.32.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_NE(flags_info->flags & SESSION_FLAGS_STREAMING, SESSION_FLAGS_STREAMING); EXPECT_NE(flags_info->flags & SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL, SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL); EXPECT_NE(flags_info->flags & SESSION_FLAGS_UNIDIRECTIONAL, SESSION_FLAGS_UNIDIRECTIONAL); pcap_close(handle); free(ctx); } TEST(session_flags, streaming_pseudo_unidirectional_unidirectional) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_STREAMING, SESSION_FLAGS_STREAMING); EXPECT_EQ(flags_info->identify[session_flags_streaming_mask], 2333); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL, SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL); EXPECT_EQ(flags_info->identify[session_flags_pseudo_unidirectional_mask], 2333); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_UNIDIRECTIONAL, SESSION_FLAGS_UNIDIRECTIONAL); EXPECT_EQ(flags_info->identify[session_flags_unidirectional_mask], 1834); pcap_close(handle); free(ctx); } TEST(session_flags, interactive) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t * handle = pcap_open_offline("pcap/ssh-interactive.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_INTERACTIVE, SESSION_FLAGS_INTERACTIVE); EXPECT_EQ(flags_info->identify[session_flags_interactive_mask], 52); pcap_close(handle); free(ctx); } TEST(session_flags, not_interactive) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t * handle = pcap_open_offline("pcap/youtube-quic.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_NE(flags_info->flags & SESSION_FLAGS_INTERACTIVE, SESSION_FLAGS_INTERACTIVE); pcap_close(handle); free(ctx); } TEST(session_flags, random_looking_flags_telegram_mtproto_ipv4_key_1) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t * handle = pcap_open_offline("pcap/telegram_mtproto_ipv4_key_1.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_RANDOM_LOOKING, SESSION_FLAGS_RANDOM_LOOKING); #if 0 EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_FREQUENCY, SESSION_FLAGS_FREQUENCY); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_BLOCK_FREQUENCY, SESSION_FLAGS_BLOCK_FREQUENCY); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_CUMULATIVE_SUMS, SESSION_FLAGS_CUMULATIVE_SUMS); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RUNS, SESSION_FLAGS_RUNS); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_LONGEST_RUN, SESSION_FLAGS_LONGEST_RUN); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANK, 0); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_NON_OVERLAPPING_TEMPLATE_MATCHING, 0); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING, SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_UNIVERSAL, 0); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANDOM_EXCURSIONS, SESSION_FLAGS_RANDOM_EXCURSIONS); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT, SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_POKER_DETECT, SESSION_FLAGS_POKER_DETECT); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RUNS_DISTRIBUTION, SESSION_FLAGS_RUNS_DISTRIBUTION); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_SELF_CORRELATION, SESSION_FLAGS_SELF_CORRELATION); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_BINARY_DERIVATIVE, SESSION_FLAGS_BINARY_DERIVATIVE); #endif pcap_close(handle); free(ctx); } TEST(session_flags, random_looking_flags_telegram_mtproto_ipv6_key_1) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t * handle = pcap_open_offline("pcap/telegram_mtproto_ipv6_key_1.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_RANDOM_LOOKING, SESSION_FLAGS_RANDOM_LOOKING); #if 0 EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_FREQUENCY, SESSION_FLAGS_FREQUENCY); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_BLOCK_FREQUENCY, SESSION_FLAGS_BLOCK_FREQUENCY); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_CUMULATIVE_SUMS, SESSION_FLAGS_CUMULATIVE_SUMS); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RUNS, SESSION_FLAGS_RUNS); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_LONGEST_RUN, SESSION_FLAGS_LONGEST_RUN); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANK, 0); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_NON_OVERLAPPING_TEMPLATE_MATCHING, 0); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING, SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_UNIVERSAL, 0); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANDOM_EXCURSIONS, SESSION_FLAGS_RANDOM_EXCURSIONS); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT, SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_POKER_DETECT, SESSION_FLAGS_POKER_DETECT); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RUNS_DISTRIBUTION, SESSION_FLAGS_RUNS_DISTRIBUTION); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_SELF_CORRELATION, SESSION_FLAGS_SELF_CORRELATION); EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_BINARY_DERIVATIVE, SESSION_FLAGS_BINARY_DERIVATIVE); #endif pcap_close(handle); free(ctx); } TEST(session_flags, bidirectional) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t *handle = pcap_open_offline("pcap/wechat_voice_call.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_INBOUND); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_BIDIRECTIONAL, SESSION_FLAGS_BIDIRECTIONAL); pcap_close(handle); free(ctx); } #if 0 TEST(session_flags, tunneling_tls_fet) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t *handle = pcap_open_offline("pcap/tls1.2_no_reuse.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); tunneling_hs_stream_init(sf_plugin_info, ctx); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_TUNNELING, SESSION_FLAGS_TUNNELING); tunneling_hs_stream_free(ctx); pcap_close(handle); free(ctx); } TEST(session_flags, tunneling_tls_over_tls) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t *handle = pcap_open_offline("pcap/tls_over_tls_1.2_no_reuse.pcap", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); tunneling_hs_stream_init(sf_plugin_info, ctx); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_EQ(flags_info->flags & SESSION_FLAGS_TUNNELING, SESSION_FLAGS_TUNNELING); tunneling_hs_stream_free(ctx); pcap_close(handle); free(ctx); } TEST(session_flags, tunneling_tls) { char error[100]; struct pcap_loop_arg arg; struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx)); pcap_t *handle = pcap_open_offline("pcap/tls1.2.pcapng", error); ASSERT_NE(handle, nullptr); session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND); tunneling_hs_stream_init(sf_plugin_info, ctx); memset(&arg, 0, sizeof(arg)); arg.ctx = ctx; arg.pcap_handle = handle; pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg); struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat); EXPECT_NE(flags_info->flags & SESSION_FLAGS_TUNNELING, SESSION_FLAGS_TUNNELING); tunneling_hs_stream_free(ctx); pcap_close(handle); free(ctx); } #endif int main(int argc, char **argv) { testing::InitGoogleTest(&argc, argv); sf_plugin_info = (struct session_flags_plugin_info *)session_flags_plugin_init(NULL); sf_plugin_info->log_handle = NULL; int result = RUN_ALL_TESTS(); session_flags_plugin_exit(sf_plugin_info); return result; }