From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Mon, 8 Aug 2022 12:20:49 +0000 (-0400)
Subject: test/vlan: 3-level VLAN test
X-Git-Tag: suricata-6.0.13~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d692e4a7368a8714b7488bde36a13f8f496619b4;p=thirdparty%2Fsuricata-verify.git

test/vlan: 3-level VLAN test

Issue: 2816

This commit tests for 3-level VLAN encapsulations.
---

diff --git a/tests/eve-flow-vlan-02/input.pcap b/tests/eve-flow-vlan-02/input.pcap
new file mode 100644
index 000000000..10d17a912
Binary files /dev/null and b/tests/eve-flow-vlan-02/input.pcap differ
diff --git a/tests/eve-flow-vlan-02/suricata.yaml b/tests/eve-flow-vlan-02/suricata.yaml
new file mode 100644
index 000000000..04706a563
--- /dev/null
+++ b/tests/eve-flow-vlan-02/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - flow
diff --git a/tests/eve-flow-vlan-02/test.yaml b/tests/eve-flow-vlan-02/test.yaml
new file mode 100644
index 000000000..ec3e92633
--- /dev/null
+++ b/tests/eve-flow-vlan-02/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  min-version: 7
+
+checks:
+  - filter:
+      comment: single vlan
+      count: 1
+      match:
+        event_type: flow
+        vlan: [6]
+
+  - filter:
+      comment: double-tagged vlan
+      count: 1
+      match:
+        event_type: flow
+        vlan: [1, 10]
+
+  - filter:
+      comment: triple-tagged vlan
+      count: 1
+      match:
+        event_type: flow
+        vlan: [1, 10, 100]
diff --git a/tests/eve-flow-vlan-02/writepcap.py b/tests/eve-flow-vlan-02/writepcap.py
new file mode 100755
index 000000000..faf856c40
--- /dev/null
+++ b/tests/eve-flow-vlan-02/writepcap.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+# VLAN tagged packet
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='255.255.255.255', src='192.168.0.1')/ICMP()
+
+# Double-tagged VLAN (QinQ) packet
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=1)/Dot1Q(vlan=10)/ \
+    IP(dst='255.255.255.255', src='192.168.0.1')/ICMP()
+
+# Triple-tagged VLAN (QinQinQ) packet
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=1)/Dot1Q(vlan=10)/Dot1Q(vlan=100)/ \
+    IP(dst='255.255.255.255', src='192.168.0.1')/ICMP()
+
+wrpcap('input.pcap', pkts)