From bb01dcbe791ffaaf49df299d486cee8d408bd1f8 Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Mon, 29 Jul 2024 14:32:14 +0200
Subject: [PATCH] Add support for GTP de-tunneling

Close #6
---
 pl7m.c                               | 182 +++++++++++++++++++++++++++
 tests/pcaps/gtpu-dns.pcapng          | Bin 0 -> 476 bytes
 tests/pcaps/gtpu-tls.pcapng          | Bin 0 -> 14420 bytes
 tests/results/gtpu-dns.pcapng.fuzzed | Bin 0 -> 19623 bytes
 tests/results/gtpu-tls.pcapng.fuzzed | Bin 0 -> 74101 bytes
 5 files changed, 182 insertions(+)
 create mode 100644 tests/pcaps/gtpu-dns.pcapng
 create mode 100644 tests/pcaps/gtpu-tls.pcapng
 create mode 100644 tests/results/gtpu-dns.pcapng.fuzzed
 create mode 100644 tests/results/gtpu-tls.pcapng.fuzzed

diff --git a/pl7m.c b/pl7m.c
index dac5fc1..827e538 100644
--- a/pl7m.c
+++ b/pl7m.c
@@ -159,6 +159,39 @@ struct gre_header {
     __u16	protocol;
 };
 
+#define GTP_MSG_TPDU	0xFF
+
+struct gtp_header {
+#if defined(__LITTLE_ENDIAN_BITFIELD)
+	u_int16_t n_pdu:1,
+		  sequence:1,
+		  extension:1,
+		  reserved:1,
+		  protocol:1,
+		  version:3,
+		  type:8;
+#elif defined(__BIG_ENDIAN_BITFIELD)
+	u_int16_t version:3,
+		  protocol:1,
+		  reserved:1,
+		  extension:1,
+		  sequence:1,
+		  n_pdu:1,
+		  type:8;
+#else
+#error "Adjust your <asm/byteorder.h> defines"
+#endif
+	u_int16_t total_length;
+	u_int32_t teid;
+};
+
+struct gtp_header_optional {
+	u_int16_t sn;
+	u_int8_t n_pdu_nbr;
+	u_int8_t next_hdr;
+};
+
+
 struct m_pkt {
 	unsigned char *raw_data;
 	struct pcap_pkthdr header;
@@ -166,6 +199,7 @@ struct m_pkt {
 	int l2_offset;
 	int prev_l3_offset;
 	u_int16_t prev_l3_proto;
+	int gtp_offset;
 	int l3_offset;
 	u_int16_t l3_proto;
 	int l4_offset;
@@ -708,6 +742,136 @@ static int dissect_l4(struct m_pkt *p)
 	}
 	return 0;
 }
+static int is_gtp_u(unsigned char *gtp_buffer, int gtp_buffer_len,
+		    const struct m_pkt *p, u_int16_t *l3_proto)
+{
+	struct gtp_header *gtp_h;
+	struct udphdr *udp_h;
+	uint16_t new_layer_len = 0;
+	unsigned char sub_proto;
+
+	if (p->l4_proto != IPPROTO_UDP ||
+	    gtp_buffer_len < (int)sizeof(struct gtp_header))
+		return 0;
+
+	/* Only default port */
+	udp_h = (struct udphdr *)(p->raw_data + p->l4_offset);
+	if(udp_h->source != htons(2152) &&
+	   udp_h->dest != htons(2152))
+		return 0;
+
+	gtp_h = (struct gtp_header *)gtp_buffer;
+
+	if (gtp_h->version != 1 ||
+	    gtp_h->type != GTP_MSG_TPDU ||
+	    gtp_h->reserved != 0 ||
+	    ntohs(gtp_h->total_length) > (gtp_buffer_len - sizeof(struct gtp_header))) {
+		ddbg("Invalid gtp header: %d, 0x%x, 0x%0x, %d vs %d\n",
+		     gtp_h->version, gtp_h->type, gtp_h->reserved,
+		     ntohs(gtp_h->total_length), gtp_buffer_len);
+		return 0;
+	}
+
+	new_layer_len = sizeof(struct gtp_header);
+
+	/* Optional header version 1 */
+	if (gtp_h->extension || gtp_h->sequence || gtp_h->n_pdu) {
+		new_layer_len += sizeof(struct gtp_header_optional);
+
+		if (gtp_buffer_len < new_layer_len)
+			return 0;
+	}
+	if (gtp_h->extension) {
+		unsigned int length = 0;
+
+		while (new_layer_len < (gtp_buffer_len - 1)) {
+			length = gtp_buffer[new_layer_len] << 2;
+			new_layer_len += length;
+			if (new_layer_len > gtp_buffer_len ||
+			    gtp_buffer[new_layer_len - 1] == 0 || length == 0)
+				break;
+		}
+		if (new_layer_len > gtp_buffer_len ||
+		    gtp_buffer[new_layer_len - 1] != 0 ||
+		    length == 0) {
+			return 0;
+		}
+	}
+
+	/* Trying to detect next proto. Code taken from wireshark */
+	if (gtp_buffer_len < new_layer_len + 1)
+		return 0;
+	sub_proto = gtp_buffer[new_layer_len];
+	if ((sub_proto >= 0x45) && (sub_proto <= 0x4e)) {
+		/* This is most likely an IPv4 packet
+		 * we can exclude 0x40 - 0x44 because the minimum header size is 20 octets
+		 * 0x4f is excluded because PPP protocol type "IPv6 header compression"
+		 * with protocol field compression is more likely than a plain
+		 * IPv4 packet with 60 octet header size */
+		*l3_proto = ETH_P_IP;
+	} else if ((sub_proto & 0xf0) == 0x60) {
+		/* This is most likely an IPv6 packet */
+		*l3_proto = ETH_P_IPV6;
+	} else {
+		/* This seems to be a PPP packet */
+                /* TODO: code not back-ported from wireshark yet*/
+		return 0;
+	}
+
+	return new_layer_len;
+}
+static int dissect_l4_detunneling(struct m_pkt *p)
+{
+	unsigned char *data = p->raw_data + p->l5_offset;
+	int data_len = p->header.caplen - p->l5_offset;
+	u_int16_t next_l3_proto;
+	int gtp_header_len, rc;
+
+	ddbg("L4(detunel): l4_proto %d data_len %d l5_length %d\n",
+	     p->l4_proto, data_len, p->l5_length);
+
+	if (data_len < 0 || p->l5_length > data_len)
+		return -1;
+
+	/* TODO: try to handle tunnel over fragment */
+	if (p->is_l3_fragment) {
+		ddbg("Skip L4(detunnel) dissection because it is a fragment\n");
+		return 0;
+	}
+	/* No reasons to detunnel if we skipped L4 dissection */
+	if (p->skip_l4_dissection) {
+		ddbg("Skip L4 dissection\n");
+		return 0;
+	}
+
+	/* GTP detunneling: looking only for MSG T-PDU that carries
+	   encapsulated data */
+	gtp_header_len = is_gtp_u(data, data_len, p, &next_l3_proto);
+	if (gtp_header_len > 0) {
+		ddbg("Found GTP-U\n");
+		if (p->prev_l3_proto == 0) {
+			assert(p->prev_l3_offset == 0);
+			p->prev_l3_proto = p->l3_proto;
+			p->prev_l3_offset = p->l3_offset;
+		} else {
+			derr("Multiple tunnels. Unsupported\n");
+			return -1;
+		}
+		assert(p->gtp_offset == 0);
+		p->gtp_offset = p->l5_offset;
+		p->l3_proto = next_l3_proto;
+		p->l3_offset = p->l5_offset + gtp_header_len;
+		rc = dissect_l3(p);
+		if (rc != 0) {
+			derr("Error dissect_l3 (after gtp)\n");
+			return -1;
+		}
+		return dissect_l4(p);
+	}
+
+	/* "Normal" L4 traffic */
+	return 0;
+}
 static int dissect_do(int datalink_type, struct m_pkt *p)
 {
 	int rc;
@@ -727,6 +891,12 @@ static int dissect_do(int datalink_type, struct m_pkt *p)
 		derr("Error dissect_l4\n");
 		return -1;
 	}
+	/* Some kind of detunneling over L4 (usually over UDP). Example: GTP */
+	rc = dissect_l4_detunneling(p);
+	if (rc != 0) {
+		derr("Error dissect_l5\n");
+		return -1;
+	}
 	return 0;
 }
 
@@ -792,6 +962,7 @@ static void update_do_l7(struct m_pkt *p)
 {
 	struct udphdr *udp_h;
 	struct tcphdr *tcp_h;
+	struct gtp_header *gtp_h;
 	size_t new_l5_len;
 	int l4_header_len = 0;
 	int l5_len_diff;
@@ -857,6 +1028,16 @@ static void update_do_l7(struct m_pkt *p)
 		ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) + l5_len_diff);
 	}
 
+	/* Update GTP header */
+	if (p->gtp_offset) {
+		gtp_h = (struct gtp_header *)(p->raw_data + p->gtp_offset);
+		gtp_h->total_length = htons(ntohs(gtp_h->total_length) + l5_len_diff);
+		/* Update previous UDP header */
+		assert(p->gtp_offset > (int)sizeof(struct udphdr));
+		udp_h = (struct udphdr *)(p->raw_data + p->gtp_offset - sizeof(struct udphdr));
+		udp_h->len = htons(ntohs(udp_h->len) + l5_len_diff);
+	}
+
 	p->l5_length = new_l5_len;
 	ddbg("cap_len %u->%zu\n", p->header.caplen, p->l5_offset + new_l5_len);
 	p->header.caplen = p->l5_offset + new_l5_len;
@@ -955,6 +1136,7 @@ static struct m_pkt *__dup_pkt(struct m_pkt *p)
 	n->l2_offset = p->l2_offset;
 	n->prev_l3_offset = p->prev_l3_offset;
 	n->prev_l3_proto = p->prev_l3_proto;
+	n->gtp_offset = p->gtp_offset;
 	n->l4_offset = p->l4_offset;
 	n->l3_offset = p->l3_offset;
 	n->l3_proto = p->l3_proto;
diff --git a/tests/pcaps/gtpu-dns.pcapng b/tests/pcaps/gtpu-dns.pcapng
new file mode 100644
index 0000000000000000000000000000000000000000..ec8e9146aaff9b405270a717927cad271f938934
GIT binary patch
literal 476
zcmd<$<>d-sU|{gI(UxKa(*L1=g+ZGkI597?B(o|tMIotDA*3iVIW@c}F)uwQwMe1N
zK+jCiLLsR%GbcsC(!>&|lYs$b4#*4*DE<FG0|OHS3qxv2h5;u~h7BkV0w8%1djSxG
zfL9GG!|Cbmn~Q+#GO!3khU0pHz@oT=rW_2e6$~jNe;61X1Wz}qPG*;MyR0U{k-?Dx
zvd-u~g9CrSKZSXs3=FOe3^tjELFy7*53G>O71G(Cex;ScltE*Isa`42T_C3c0b@Ex
zc}8MMabiIMb6#o*NE|2wawiNd05U-CI|3B|xi2xMWAjuXAB2Gb)qU+!a~K%x1ds0r
zxeeq-u=|P`7!3Y1B%9dY^#Qsq+4C<0LyBPZ6Og+=?qe_oy3YUWF1^ym2A~U=K*nNo
t+W{U1R*(yMOBuLXl7TK~PEN@?z;{3g;&29Q1{Qf<Zv&uiWIur14gi?ZY7zhd

literal 0
HcmV?d00001

diff --git a/tests/pcaps/gtpu-tls.pcapng b/tests/pcaps/gtpu-tls.pcapng
new file mode 100644
index 0000000000000000000000000000000000000000..151b102683981661ce1e4bec0f1256dfc82921b1
GIT binary patch
literal 14420
zcmeHO2~<-_)~=Vlgb>0aAcRdL2rg_dVHaeT%@svl5VS)G5Jf-|1b09dMHB{5qy<HR
zb^+I>6-5+VMMd1erCV(gL<JONlg1WgstB~8{?jva&YYS5oYXm$mwHRpty}fJd+U3*
z=(4hOHvqsa8+~;Q9{UFq8K{Dpf{=(PmZ=fj%!n{F=NJa^L-^qW9>4(&tmKCW@_F1a
z_y|DHqi2-|kNy4P|5RAs4KqpwX%rB@?Rmv&_#frLM21Il3<%yE1HPlsfO8P|ZiOY3
zV${9!^wtm-z4Z?hS`aM=%mjew2R4eShkBg>u*vbX2liCLimp*6RDH0$D(5*?>bSmO
z6{<Ct)ZeeJ3IGYG6yqcs9h0@xM&~gynI@L!OSuxS)%_oGF`!&vP_7fx0k9tBQHW$h
zvJIE(#(2FnBo_eoz=ZlZ8OelX!%B0WzpPW1fwG0?Dz0Mru?FOdLUILEy>dgcLAj(p
z%QX!t5+<atu#6WKI<SoLVERg5nCyy3q_4YoN9gOrfWDdr_0^Q)h4f{d^o72{p=^w3
zCbn>P9n=ptpsOWFE)_BcPQX@+$mDVM=@BQV8`z{y-g%;Pyf6Fe-<}p4`RrS{&7iyd
zy}Z{^05r?>%MGdymm8N8Rfo!@%jxAx<;ox%<N#w}1}h2d#|EYcU;-5Yl(=C6BQB2@
z5y|I@g81P^ywH_!uEAcyEDIEX98ShD3YmgY$yAJl0Scgq`>z0GfHW;gBnmTT8?j*l
zUIcVF7pXuC*1!ZvcW7*TDPnCQ9oF7!sCW#^C=aGV9ey5L%9WFqXl&iD4If*|38X_x
zu6S%IxeB`Wz?6E0{KeQZ9M}IaAzA^vQ9mixVL;Vu1vsutRLEp7p9Fvhnf&Nr{=<M<
zED+<We7pPPgnK6!%Ee^Gb2~dfVN;uIxKltm0l>r|H38T)oD4A1fJ%_uBYO@jmib-=
z$m{|#>45r)h^78P#8T>W$s~+KQlOts-4M5vz^KVN9x-W6wS+8HdUAqW!tb&eCPM+l
zQnm~sO(lEbR3(y^CwnxZgbH*e#xy~oz=<C&V!4O#*lL6-IxVB55E&V1<PR_L;3YIx
zY%M|qT_P(fyYfTlherrSta+XeEGGvRhhSS0V^n3?R)h)1j2KAXs<Iq{Fz1-C;ejB$
ziI^SV6o970@Zg7p2-gI!=7tEkY!yNowIZb?>nY-j_$;T;;9!0rpRG<X#qy4FfOBY}
zcn%pLnT>{?kx`O$pU;{T#t-L;1fd~9wkDx2miSw9kBG&zhwBKV0CFrQ58!z^DHg*(
z`;ONcm**De&EH=>Wux@_q*DY#^LD0ni;ejY?bN{DM^z5nzpvMBs@67d>=->>DsFPO
z<wQo3-Q#u7A}`w5RF|#O>+EbhRdvOy&n12K^7}PGx=&^5X6q|G>#N<;akDkLDK$D}
z$MfA)W14<k;+mW4%l-Id+WZ$Rh0S$lS!#~^&qV5MYj2+Q{mU|uynFq@yJ<6CRXQ$z
zW3g%Gv%P5*k5}_|USmvqXTC>8?|wpXN$XyL%VZDX?e~6HmPIXJkUeGeUeTtUx~s)S
zvo=KkB9pB*+v!%UoX#&vvrjK5YZgrL*}gDdKBa9OUR}NXM3=&iinz3GYT0FK;7Qtq
zkR`X7H)7&R5DT!pSaJ*zOWr_?g__jT!I^|gv~udA{u9{|hvv?YJlWEb=cHn}H~1={
zg>I0;RdD5&=BJbH*pd}*6nVs5+elncD)7-DVmi?EQFu%<5%W6sTLTiy42s}J@&%j$
zlrS6y6S3-{enLZ`h#M#f2{aO}SQEkxULzC;(X@=!fY<optHne9<wcd1p`y^JuPam$
za#so?zHuIcls|v<mpBzWI!MI(hFoI?stE~P8R{np=6_WkA&2@bk74~dP9{-u#X8c(
z(Hy7gQ!xrfij4jFk3`s_+sEP-gc)Iy%g!}UFhrm?#n_nVA7&KD4;7)84t3gi=naG~
zppyf7{fv0w!Ng4TJPUUwoCpi5^mhqvSVCVgh7psAi9@ZBFcnQysSwus<r{A7<l#xs
zsMNq11_Tr$V(1wR!v#bjp*K_}umtr%!QhyPB7`GkBc}d&A1Q%7)B!Gnk&!okvlF5L
zjM7rVNd$TmDO5Vt6OKJxL&8aTOgA3W3EDv<DE+ne{Me*bKZ!B_OYFD4|4(86%>nGM
z_=ni9H-P=5k=U;mHH7^>(0C#HIfVV`89JFq($=|JF5F2koY$zHy35~u$C!KZ@Ge1d
zrPW1%0N#yoA&mn&wgk(+7}IO<TuG-`<agebr}?btV)Mj|AGUin+P_tK25;Fp(My0&
zeHT-bVikVoiK&^c;_B{OtoUWI8d3(WGNWCfLzNhD@%7^MJ;_d4%gQ=K`WI|>U0~in
z{ip9P6*u=U&D|_7Zg@(~K*O$tGl}KTSzQ?9cHT%Z<HLIJG-=+i>FFQ0hdGj7b*0{W
zGfAlzwwqwOb58D$>;zo)AeUv|F}vPE?oFMo$D_HVNNzQMR_k!sgr)_;CI<5EU)$Fm
z@W{Zx>egI`+lMDx;jK|;pI!2w-TepGIaTg>cT-PF+UfVc8J^`LeU_=<O?KfJwY&ol
zdAD`c+dPH)FTXbb)U-A}K2m?&IJHtG*=Oglj-zRJauZ%Nd?r;SNd=W0%)&Kxk9$zF
zR(p3$=Ytg<D<)F?NQZ?g{l$5fB%7!yh2AT(A}SZra#eRw))xBaq_~`pag@HKcHY;^
zM5c*;vn9c8kz%k{rn6{^UG@=1-!w|F8?|(SFIKum@UAv?e%#c4(bAxKOvZ-E8~qb?
zU&tN2J|~%H6ZKeKx~Ao>QGb1c;sV;y3zju2nrGh^d1FuSPw#oXb+0RT!Smx9?*X1d
z#Nyi^Rtg6VGR5T+Q|I@(46VF<x0SDOg<oim;C|B{{tE_~MT~(jJT%Cvf0}UD;7~tq
zFl%0Ds0bS70h?^WW)tRY4#&jQ4B6!2#s9cZ@K+}GV$wa{tU6|MqHm*$P0FUz7ZO!1
z@)<pByM4~{?Z-XJk=j#9)|p<mrzM`mv)dPc_U*)X9SPb`dS=acxLWME>5hpiCKsDJ
zujZO*{-yocV@|I9(XopgOnP%K?<xuku4&8?ChI9g-aKPx#c8ZwJh4?Op<dcLzUPRb
z`|yf=i;jk0Uy>MbjP_jg(a_V$Z}ZfY_?e?JpN{GEAWAmVI7@weuGB@aroSn87-9I-
zaKrlNcR#I<*gxBz6!-nFvff6yMV)3zlbauUdk60@DC~aL7v-wAX6+H}=EJX6DUxe?
z&Usd^$u9FR>ek?u&PuT)^|USYy?R8~o8fzv_{8#53vRkRXksyY2z55YEa*24>~ITA
ze&%7e;NHyAfVRAP4UNm0r>5TX8fk5?guk*jipW|hA>%|NsPF*2YQl5~yCLRJB=m^!
zLuH8h%t0&<<q5+^c!q?d*lt-9R)j^aS+2=v*bfgj8F8!e&`cFiR5VYW90qLHRI%+c
zCrk+r6^CXF{FT}IjQwr6*uzJDKf?Z7u#ECx`pWOe&z!76*gw5`IQHXt$nVF~#eP4Y
zt}p>%|5dq>*gvLW0Q;HXjcw9M>>qNJ2h8Y5=X(GliS|UVsd2PkqovEwt*^fIz~IFN
z(qrGPku6<K3(C{lCVLq=|E@XNPGL!BQ{9ESCZK!v_q<DFjTd`o??}^--Z}3>5wmaX
zBy5{1U1-`BsOZ(Ief}m<8J%VK@s8rAn^T#t@xLhB&S7NOt$RP}(A?mUhrS~YrS9Jr
zYUKRH;<V<*GL^;SPI3Z|ZqJ+HZfC8iX3(1>-=Ex%>CiiIiqy+M3_E)~Ch*Oqo5y>4
z6KwN+gmE8US_zBPI?3jdxs!t4cfGT&Y26~E7a8qr4$`i^RkWf<W2xuQ@()+nMKG@X
zO}9MWQ?5Sdo*a|75tv_lm#!EkWluRNzuD8t(fakr_Q;QL`GVD|0PG2LD<8oLUqi=0
zZY)*>|6Zp`i`^jt&bwIbEIjoS5wrIIbSA&`Dlp}t%VR}Yu}wK_wi&_pCWOQ)!X3H}
z6n!}|Nu2_4<;b<`4n;m}m)C4!jobBcg?fm^`<8Fl_Vv;!8hq74?x>+t9Jrt{AyA{=
z7-OX}x4Jhk_qf03_`1pmuIA6%6mazj<3?@6GQYLtMFAhCjys4Ir|0LjWtBcjPAh2K
za`XnHv(@7lj#tr}x{z9{<l8+<iSF3(k7Qj%nst2)H`|Vt%zU*C_O;Kn9Cys&^l<A-
zAHKi;qtcnZ89g@2lxp`4ya@-7+fxqaEtFY)UC}3HnVR+L?K*)y8L#s1_MJB)oQfI(
zte2!$P>K=*Pffk(R=Idw3a#+B!*0O+V1?DZSI1IIEnj-~)uvq14yLSm(Zb`+n^U;1
zV}`@h%AZ{Gy#m~Sk6IT;E;(?lQEAOFFh3PH3e(;0&zwmdII+L(#~V>zRli+-zxij^
z_zMdko6*r2&td?~9nwe+__8b3yC*y{H8VHgwKa=&wNR$d=W&qK3)KhG4Hio)chzhP
z+U-XOom@XOzP*-pcS1_!rouJn8+q=HYMHcf_t5D$^ebL3h+pN@s-&0XuCeNj-J<Es
zPfW;qVrRIk;@p%aw!MmNshQE1G51rAWEN=Uv}hd8T(7#aYm2^K3DxoBnU^mb!c2(3
zBPOTrDEunic&gOoDy?B!vOqVg!nuGky(GNusQqP67lu=M!QmOk`Ub}{S`E|VbT?cw
z?TFZsXzO1nIF2_vZks)APUv(WCijN+*tOPoNnyQ=G+L=}&h7KrGLQ9%0*<q`k;~d_
z*<*|e7K@j#{oG2V3beZq>UfYn+U8KBw_db(a@Jh*-08#kF3bGi4ql4b_Th-Hyv`Ms
zYWo2BPHmr<2L&%PQuY-kWgS&EXgD#mpxHBx{J`EZ|3F`2tsi0&a5*uOA)G_LE{=X+
zLU^Zq>SaYe<O)z8OoMp$nOmb&E#HT@qQx{ZR}?ZDaafcR08INShyEb$=)xz<F>)qw
z1`@tQ!gomc4hi2O;XD2}`3{8r|DFw~u0S@R?fE~p0lUREKu^MZNO%tk?}7N0f8$$-
zg!ho}9{)k!W5@>d400T39newyvf=?Oqdb_tS_j}4Go_IYFofT-(KmMSIsh+3>i~Su
z=XF39v;h+SL&ARyV^}2ohlKz5uk#-W@4obX5$+-G1LcvpH!RL$fdBY3%3H#J{0pC#
zB=H`Scn?Xu$A~x-Nxa8@J>Fx;_Z`lG|8q6~@gJW?wM+O9N!*7d?&Cij3o7A1B>cz!
z4FB<Y9U$gEK8-Sx@E?-+k3S=qCGj7U_>cb|@gGC{2SdCsW+46pGksn077`yQ4<^I_
z<0JM~JzTyH@xIk^i1S4;Zv%Unen#<b;MCw=p;I}F2lfh;jod5r!-SW0I!<t}&>A@f
zal9Mc<C2Wxol#_p3q0rOfM4dEk@tG?`kGc{edw-s?I)AFicVkcp+D7Z;?ijW`Fhy2
zOZWxHhVz>*9pRP8=BsMZ-#Y7L{4w|b=Cr7J&o*Gnuqq5g6;2%LgsOw<z8!Dh`rpoR
zKD#TcH#wRvW&8tkd2^S-hoG!BOdja~aY3oWbYZxnu_6qXQ65Z#y7+7ZFz*vE3fp?r
z9M{3vzkyg7%mwKJGq-V^7Um2vbA?Ih`{#AR$k;y}Cm8!z5DjDh=5P5k_OBP|1BqS<
z+k#6BO%^DJn|hALHqLpKmAxdX`TU6~tVer1OLZ(V8#QNC|GcZsI@R4qXMLjaa+S9c
zjKdvTF7Gn06u;|wNKZUlXX0d%P2I|#X>O?MozVH4hI9V4V29$<cXwUi%Stxc$XV5u
zcAwc&zx4Y%(&Mir>u+t>dV0sXQJ-J)puNP?MQ9&Zt|{{-tEt2!RoLL=!K~d(Od$As
zx-Q23+PB*_`wUNIPiM5b1@oQxxx8Z4vh=xb>uq~5yB<+Vb{EI#K!b0pDbFlp*m!JA
vxO?MM!hw*>l%;l-cG$FyCLeq@UD8rG=Tf@I*)u4a`CQ(9AIEkY8i&6F+JxY%

literal 0
HcmV?d00001

diff --git a/tests/results/gtpu-dns.pcapng.fuzzed b/tests/results/gtpu-dns.pcapng.fuzzed
new file mode 100644
index 0000000000000000000000000000000000000000..47141bf3322a7a0d8ccad8deeb4051116a025573
GIT binary patch
literal 19623
zcmeI)KQ9Ae9Ki8kwc--0Dm5VSXJBfYM%*NX;Uw}HYF46YrDxDIw5bt^L}D;VOd=5j
z8?i_%J?UWRsEfhoE!c3LhZ@8?knfW`Pjb(5xhMB|0pCXL=B!0R@-uv2B%mMC{Z_he
zMdV4z*VJ3?%vIOI#`3*wiL<5Zu{V+FXnl9&sI7PQaWrPRmaA?>#(Z@VNqr2R_J}y5
z&ev+@y%op199Zv;SM!ZMvDM+Voha*j%vE{>@>a#olr}TPVz97UGW*Sw?{iiJ5I_I{
z1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009IL
zKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R;Yuz>*Gq4IhXc>;ExRk6)oL
z+3!0MnTkGCP2|hOzD(##bfYWjOKyDfdEODp&Asa-y7*!OUncY=w$6N|Uhfj+oo$`+
qYB8Vv8~Lh8!0V7!)A|aRr9G6@4X|J~SMWN$cryVuA)&#rN`3;1BvO0;

literal 0
HcmV?d00001

diff --git a/tests/results/gtpu-tls.pcapng.fuzzed b/tests/results/gtpu-tls.pcapng.fuzzed
new file mode 100644
index 0000000000000000000000000000000000000000..d748e649126a4e996ad2f9a4c59c05320ef714f6
GIT binary patch
literal 74101
zcmeI&2~-o;{s-_onMnvCtU*?n0D>FB4Lc&Ti7Zv5vZx5!fNUB;Nf6wsK|zZPJaD5G
zjRHjlt61w&MDZzF6*q8c)rz<RKB<aORFMBnkSfam^#9)Z_x#`azu%lQCnhtQx%te@
z_x`xot0(twXCVspEL~j)5%ik^%cT)j;T+`Af|TpK?Iit5%8_KN9DTv&BJa4C5wo2T
z>e9Y)l-Haf<Tbyx<;HR2TJ#aZT`ej)**iPDQHx4`kUMhcU}v6jg;f9A+UoqfM7ihU
zqIt|w6|Al<BYJ-p#Xdl>xI9AL$&~q=AW1Is3JVB;00@8p2!H?xfB*=900@8p2!H?x
zfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=9
z00@8p2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=900@8p
z2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?x
zfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=9
z00@8p2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=900@8p
z2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?xfB*=900@8p2!H?x
zfB*=900@8p2!H?xfB*=900@8p2!H?x{D%k>ST2n?vsneD(7%^i-z_BlO3D#`s~jOV
z7kS4a@jicqT(kpAc+IbEdCdtzZX7obO+W~DA=k5mEpogOaz)4;*>Y~K(Z9B~nrB=g
zCCc;fKCIVO^ITk%q|lisj1(foqS&bvi_43te&kE2JDCzBse+ki?2A@Kg9)TudpAQu
zH{%OsGYE~@bSt~GFJESwz%)hKjMvI$H0fmT?4X;`lpo@b+&R{nOcR)<<liOAnI_Op
z;V&~FCI{3bL=apaefnukGxSIT?W50JN|Gk-xyfbzmZP(WZ`ju|I6_qQx7#IF;oIh{
zwrs0x)ePB#Q2)vim6p}JDy=JV_0CGwN?xU)QWtGO`N$gC(+7#|A`tz8kO9&|NFbgY
zZzYb3N=}Iu%i^MwtfCU<AbonP8NI3_Eu=w_z7)YG*#w8=5G(?*5nK6ndYc+j<;KZm
zbFD>IBKi%z5%CZganJzz5C)9dpaLGc#YW1NIVZh*a_QJrW#^bn=Xd7AOUEu_%-Gwz
zFCBZkmbp8!<D4Qtx^#Tc#orEDriGpu(fc!IG1ZT?7&kqVM8PbC0!i{lapCot3qmCK
z(Y@GKHsng#WQ{@cymWC(%Ui;=akO|8s>BEl?Quc$PoYReu#^UL<3IYP^pVxRRzqqV
zky<X|yv1pp*Eo%RPeHN>7E6nFFnh_04Vd7p$q$t0G}d8tj_U9X-;CeY2||sH@N|(H
zR^^Z(6i2`c2@>_g0_F`*z#khQ8}AjJBoq22M2QTsKJ&4fKr1CB#cC$KDT?02TpZB=
zY|LyT1-d@biNQ(9Qkig4kcZIALui9VPI#ccy2u&Z+Sp^|5~i<igRz5+t%!cXI1J0z
z_1OTffFBs0kRV+knJ-R=7mM_;E^`(YfqIZkEQ=O;B}ydGvC$$UY|!0aZ4dgUncRKT
zSTb$4>iLeEK;17`IB{-tl2{g>m>?DP$41>P?(1g5X@u#AMg$v?X@n-CKj*R12m(D{
z_jvuu&kqy?Z?7EnrD|*De$4NGag)o_(GK4}=frm0sP<U<^*z(Z8dHac7ySmStQg+r
zG?bs|c5~64l;fjE*HkRBXlZ%2zxq^2=eXQ}SyyZ0%x|mJ2aFKh>8xAz;(YV6#_VNT
z>+Wu@9@zN(G#^EFg!s*^vBCF+TFdM0^9((=A4)M>{k&<y*AFXXntu0+FXw#r=$z-Q
zCyq<U-`SdT`sV!T4QKdce{=Xo&*Ex^<Z$!W_;JGnr59TxPt8c36}n|qzpb*R`Sn!?
zN+&E?_Osd+ivX_+X&PofX9gS$t!RoL6~1<Ix@Oih6RM_W*1nfoXHT!lS#7wb!Vulc
z8ImyVqQO~tI*WeziGnmzj?>5`cn~c)z>G4$ddqaPr*!SxlDzZt;FPkbFABW$oVH4;
z@Bn594N8yFecE(;*rhR~&e_ty6=%N0#{@;;##sJ>*{)5=o3Q+GT3;6=%^)sWoDv;x
zql|@-ALK%sQDUTYq*Nx3jZcWRlFnX`AeJnU#!H#oGR>IY7M(P|`;vdWQEyJ7EHU-d
z1L{e|bEL_Ad`_p*%;@<a2UA+VI9XI5?HZ^&OhW9O#K?F_^e2bI8q9CjB#17GB3W!j
zw~;x;+~eF49D>bOA&Ec!#lmBl-3L*Q*dE&|L<;MSkxa;qvbK(zIoB#SI#I?vbj**o
z?s)>~2hhuddHk%Rk|cOM^L-)ZjlHlVNA-&gUm~MZLJ)X39@=vj7NOUlIjEFA>c>yG
zwO3#e=5jc(ay}g>IJxIL1VP2)SZvYr9upZx?;1v56IrsfSKF}bAN#Q~L_I%1%*06V
z9sB$dGG#^$5Kt`4Jc(=$k9MMn>kC*Ei;}ld@)q=*?vKlVsXIC-bKVb3)GsRHp__DC
zGV8nL)2KgHc3v6vr+Y>HK4sJ^-bKAa%R(9Ttlm*?nA#Kd;dI~hVbtfYH`}y3XOWN7
z<PE%%NexEX8)rJK8+aw1-YfpVIp^buiF02(j%9+@t&(WoAK2k|S73HP7J1Yzs{ftR
z<4r@?f4erM!Tle4cj#R<3=N5=Tz``v&T>vVbj!}(TxWjU1!4M(G-DOZX0?9f(0sHq
z`S|0hi`&<D<;|#QN$3h)>l5nG<^RJMCk`}qO;;?}>^||RTIGp-us2IM(`J52obOSq
z_|IM~Mz=F3{gRveX6;;0)}xo%SDp+LbkOI`u-h<E@x3U6QZE(@-CqRUbJTcJKPK?T
z=d2WQP4tB34?~jfNa&CxP{GwR+uCAoSXw$?_}t^-uHnv9bLx>hCuRn;y%u|CYwT@n
zY|qL$*c!1us8TjUXczxvOUXdPf*seRE}9uV3zBX>`PkuY<HGdxlo2K-hUEhFJ3kUH
z_T*erWIX1F4?CTy5_h;bk22nDa;<iu>1KJ$wb_BQhjJoWyQF$u2MU~6qf<wfgw4rI
zJ~xG{&|k-1SQ3$+HSVC?Q}u-5(TEURwMO3gry0IebR;30yk)E0w(RD2j%7=HIpv`d
zMER=t-|EtWSGab`rpHY(;4c~e<;<1l_ce-tnz$xvbm~nb)!L_*t-9`I=!A0j9CNCj
z-4t+D7Dn8@>fiqOtF1ob(7St$TM?Co)2P*SGD_cdzwB{u4a|P8Uq7H=+eO_|V(CX}
zSlnmt_fK@cLOhUuyy@;&|BnvaN0JyRmIx;$Cd%k;SlI(RibU8!WMgA%XV3J&AHMy|
zD}X=iP>*L`iJDMv(6ln5L2q={(u2oV>N^(l+eL2Myo23MZse<cbB;9gulVL^IxEU;
zTl$fI4E^mzhUu;L3Bev!2RxTvvehRv(y}Mjp0O)Dv7NYSqj29dXzByo4#mlhrE!wl
zhCJyS3$2v%huoZP8fvBvZC1&+r|Od4zB|5c*X(Um_9Xo@ZDq`N+`F<jBZIsmm%C=A
zkJsLGdtgT(KD?Z3Gd(=~RDH70|4GsH<dL^WE?Io{^4rD9+XLKLE580kJ<Li`+G3wM
zyy<#am}H%0N!y*yR3D243wN6~?Rqp%hpcV?F{oz2mWr9BZN^dM6SACG?awAhRP8no
z<408Cx56MpN#n_P9V+2Y2ixcm`pZ7M(+~Sw@=l<A=#}y1G0zI_85^J6wBPkgNbkOd
z$oR9qMThAd1WZ@N#T@#Du9>l2Pg2tfKNMTw!9DNkgg1DX+=)@rxxMN@?AhH*xnO7P
zsIXVqz7P2%iEXc4t$Xg&?i-c4PrW>pJ(X*BPvwB^unmWzJ1z8Qom5ZKS5pWv>wlN@
z)WNc9Ch7faK1_OQ2b1(vPIuB%Ia))Qq_5KGo%91AD3jg*JsFePJL!9hU}YECyRcT~
zA%4Cx#B~L?!)p4h9~akLxMq3(80%)lS1C_lHilN_JR2S|();)R!`-x|wKUcrt8YZ+
zM}99jK^ouR8n7<MSarjsSEUA>gN6~S^?6dem$5n_&8A1s<8#aM+}>Q$S$f{pz$g7@
z-7ypS>)jT$YVZ79@@D53cxU$Z)rnT#w;T`l|FS}Fs!5qm?4Gp+pZU4D=ongd<ZE`V
z=_1T{EfibjVJtx$*(;BIGVJ``_Ku7(h2hc_uO2!}OAT8{hZM!IxYn1yxzskVlJZKe
zHZ;YV)?6r^-EKTR=<k}>=hr9mPyNljGCfG+p8Sf20X`dBSa+GHld9s*F4J5d<mKt|
z_|5Z_H}sz-M4cWYZqX&<4f^)3<q=4cMpV=P{E4I5UFu-^E=wbh&>#JP<y&{qg<@Yf
zzJVrP&NyRdk)4f5WRFE*Sc>OiKe{YnkI*1lMr=gsrYu~vGv)eo&Hjx-lZ|g?8znfl
zKJEKxpZ;0241ID2g?7(JHuN7WwwO6-AJ<q=;amUY;WvJ*HW5CWvGb!REsd$#%|BcB
zU`FIZa!SlASCeAmKyG2dv%K<KYjTPjR_!^<Z)pzv*(Rj)Nqs_{^O}q8({Wqc;2Y{b
zvi|j*eBUuI<`@(jE^)8BGr)7*M4NW;z4Gg=SHBk=+Pc1dv@W~GZ%NdU;=S(d;)2O)
zvwqSE&zfQAGJmaEZ2S60g_k>z+GDTM2Qe<wa!<2MSH|vlJ??vMs!0~N<kwxk$glXc
z^Q1@LWtTfW4C}1RI$<hdFS!3SDr(Zil0`2*^O%0_2cN=_7{A|B7p))<@A$4ku;4os
zoK0EHHD5c^U_9QjZ+rdsXH!F}fBmU-`QLrgk4?U5&ttCf1U@4CNTlyU%{b+<dB_br
zdk2S&U*&PDO4K^TZ^o(I*T1Ivz;XJyjkQbTHb-Kqm(Qz)f1Js?JR~b+X~}}44N-m#
zhMTxaeu@4RT}3<&O`qr0EU?J*GoE+IZHoV_eM9nYxsBX-`o~ez#&qaB%igriNq#lk
zN-cCi{!`;!n-=TOdAVwY#bJ(T*`bH`AI!DIvAb>eU()(T`sMy|+bZsZv1{VZQ%`#r
z@%;}c)$egX88nXXm0PsyGwTtSd)GIQ%w1u=<b+-Fx|L&Qmc;L+nmktrjGdV1A8sH%
zYdUD5%VpNw4t@@|TsraM(Jg8>N8lnGZ&Ryr3%96$#~<Q2b($#B_pnNlX<M;bAQ|{<
zB4^oG#~p7Sagg2hdNuf^Q{k`0Cz4mc+8v>3c1o|tJw~&|G+chI=;8XTZKaucdvq-y
z>>FRy6qG|=bN4LV(YdlNk{KzWH0U5>vMqSI8oEbUu*}*!+ujfIu&ZlMGlM+O?sgCI
zB=lnjdDw>$vg=~+e2p)e)8DKl$j!(bv7wrUY8I;5e|<a)s#&OJ|I%vKCPNKfqbpfv
zeYd<Dw|JlU)bUNKOyZBEXBU`Z{qDr4N|?l_zImVcd354axjj{F&+vZtECW=vP}M?J
z`~SVFeev&E)-oa2cUk*>3YA?wYa2puwZpg{hTNxR?WXRs_J4Ig4yNOJ&j-SE98AY`
zPsYP^98AY0{R`7^|Fgtr1~T4iKZk(~n3jWSxxe;5=D<J(3}pNt4P?Bp@w*2y-fCO@
YQv(?=JqOcsVK6=SA2mJqZ#a<gUlLH*X8-^I

literal 0
HcmV?d00001