From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sat, 28 Dec 2019 18:23:27 +0000 (-0500)
Subject: decode: ERSPAN Type I packet parsing
X-Git-Tag: suricata-6.0.4~354
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F177%2Fhead;p=thirdparty%2Fsuricata-verify.git

decode: ERSPAN Type I packet parsing
---

diff --git a/tests/decode-erspan-typeI-01/README.md b/tests/decode-erspan-typeI-01/README.md
new file mode 100644
index 000000000..772d21f23
--- /dev/null
+++ b/tests/decode-erspan-typeI-01/README.md
@@ -0,0 +1 @@
+Ensure ERSPAN Type I packets are decoded
diff --git a/tests/decode-erspan-typeI-01/input.pcap b/tests/decode-erspan-typeI-01/input.pcap
new file mode 100644
index 000000000..961075040
Binary files /dev/null and b/tests/decode-erspan-typeI-01/input.pcap differ
diff --git a/tests/decode-erspan-typeI-01/test.yaml b/tests/decode-erspan-typeI-01/test.yaml
new file mode 100644
index 000000000..034442bb1
--- /dev/null
+++ b/tests/decode-erspan-typeI-01/test.yaml
@@ -0,0 +1,32 @@
+requires:
+
+  min-version: 6.0.0
+
+
+checks:
+
+    - filter:
+        count: 2
+        match:
+            event_type: flow
+
+    - filter:
+        count: 1
+        match:
+            event_type: flow
+            src_ip: 100.95.2.201
+            proto: ICMP
+            vlan: [1011]
+
+    - filter:
+        count: 1
+        match:
+            event_type: flow
+            src_ip: 100.95.3.105
+            proto: ICMP
+            vlan: [999]
+
+    - stats:
+        decoder.ipv4: 84
+        decoder.gre: 42
+        decoder.erspan: 42