From 71b3dc2b9b15a1272cd0c82a0a05c8ff9060eb5d Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sat, 28 Dec 2019 13:23:27 -0500
Subject: [PATCH] decode: ERSPAN Type I packet parsing

---
 tests/decode-erspan-typeI-01/README.md  |   1 +
 tests/decode-erspan-typeI-01/input.pcap | Bin 0 -> 6576 bytes
 tests/decode-erspan-typeI-01/test.yaml  |  32 ++++++++++++++++++++++++
 3 files changed, 33 insertions(+)
 create mode 100644 tests/decode-erspan-typeI-01/README.md
 create mode 100644 tests/decode-erspan-typeI-01/input.pcap
 create mode 100644 tests/decode-erspan-typeI-01/test.yaml

diff --git a/tests/decode-erspan-typeI-01/README.md b/tests/decode-erspan-typeI-01/README.md
new file mode 100644
index 000000000..772d21f23
--- /dev/null
+++ b/tests/decode-erspan-typeI-01/README.md
@@ -0,0 +1 @@
+Ensure ERSPAN Type I packets are decoded
diff --git a/tests/decode-erspan-typeI-01/input.pcap b/tests/decode-erspan-typeI-01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..961075040b145e070ef1b8f75411d3c3aaff35d9
GIT binary patch
literal 6576
zc-pPlSxD4T6vy%Ff*DknW~HTNWoDVCGdh!wHkR5$K^O)>ltn`H5K-1cw4hLs&`TuL
z<W|1*5>eP{TDj%E%qT^HMGkJcmw`xi&g~D!SMNOo4ubRZ|K-DfmjAeFo;>gr-hyu4
z!UOK#4~-nDEL|jS!teM~o0WE>*pXKrUs(OlSELJZ6(5@tQ{kDDE&Ot_|KtmCqYD3C
z9}o8#mPh%*Yf3&c>&|t%Nb%?~<z#y{=45-F@)dt~9_SXacnth6Ti`f&Te{3YV0qw*
zm8*h+SFZ^PUAr!9{f3R<n<6$xZrK{OEjng<Y@Ep)pJ2h=;j;O*32{^`biiW^{N2#j
z|G#ZGL<qab+am13J|Py^b=qoR7hJ~Ub~hc}x^u~`KLy(2YK*p2g|;(XZh6wpN^WCX
zZMCqQW;);Q-j;6R<hBCaOtnVaGKIEeCbu7c=vMuZ+(Nb5>R|Vo$<1*P-CQTgZPW&B
z<~pOzs?e6p<#tTE9U`}Bt+sl`=c(hAblXpEvq{hvUvIQUDzxq6a&x0wm6P1OZ8~iY
zu<K<y-|p=}H|JS$8%%_@ga)H6NuljHliSEz>E<A}39Ysdu<Pe?bE8|Alid8VO&&w#
zH3WBwTyCT2_NIy4g0<QjVK>a=Run4T?vdND722$gMw>;U?IM%gXtH#>L~c`BZB2~N
z)1pG@wvpUsEYP;2$!LpEXgkK`Hj8eRmE`7W)oE*nT@=&%LU94Qb;gjJI|14fn-yO}
zaF@m8Hg-q4g^}BcR$B|~W|_{n;tJ{JMQ)3+Evdz5^H*q#;BxCjx7RLm3)E_Bg`Jbh
zt>g&0bsU~^y<mnmTdU%02<|R0xsAKf?N#5L>jka0HrPGoa;rhN_Fv>?!?xr$qwQPC
z{M!afncO}}w_b8f(`svnT|Sdr=@sdgL~c<gXiI4~+Qt>y0+`OXiF48|gWSwoZ5@o?
zhm@T}x3)}jv&KQ&&JLsPyF%L!rt@v$C%V0?B{#cPTPN%Wx!m5NTkCIfTM!Fv_D-WM
zpmhFio0-nHNnh#qnB4rd+PYvD$n-hneuQ+pMQ)QZ(3aYz_!+5-@%xa;FX;B-3%Si`
zwK-wu$K`fey4lFBHyYY@IgPd*3T<51r&H&pTN=6bYqhyx=fmXo;553m>?JoJY}@Tp
zyavQwG?&|T>1HCgC0cFWu#04JD>tKC^EGn&8U<}>-9}r2LR%)6+gEgZ{*l}UwAy-L
n=Vp3eD7Q$rd~yrIw)7sOZMJ0oZCsy2ezu|8vmtT|(`x$%dN}GJ

literal 0
Hc-jL100001

diff --git a/tests/decode-erspan-typeI-01/test.yaml b/tests/decode-erspan-typeI-01/test.yaml
new file mode 100644
index 000000000..034442bb1
--- /dev/null
+++ b/tests/decode-erspan-typeI-01/test.yaml
@@ -0,0 +1,32 @@
+requires:
+
+  min-version: 6.0.0
+
+
+checks:
+
+    - filter:
+        count: 2
+        match:
+            event_type: flow
+
+    - filter:
+        count: 1
+        match:
+            event_type: flow
+            src_ip: 100.95.2.201
+            proto: ICMP
+            vlan: [1011]
+
+    - filter:
+        count: 1
+        match:
+            event_type: flow
+            src_ip: 100.95.3.105
+            proto: ICMP
+            vlan: [999]
+
+    - stats:
+        decoder.ipv4: 84
+        decoder.gre: 42
+        decoder.erspan: 42
-- 
2.47.2