|
|
|
|
@ -339,23 +339,24 @@ static inline int FlowUpdateSeenFlag(const Packet *p)
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void FlowUpdateTTL(Flow *f, Packet *p, uint8_t ttl)
|
|
|
|
|
static inline void FlowUpdateTtlTS(Flow *f, Packet *p, uint8_t ttl)
|
|
|
|
|
{
|
|
|
|
|
if (FlowGetPacketDirection(f, p) == TOSERVER) {
|
|
|
|
|
if (f->min_ttl_toserver == 0) {
|
|
|
|
|
f->min_ttl_toserver = ttl;
|
|
|
|
|
} else {
|
|
|
|
|
f->min_ttl_toserver = MIN(f->min_ttl_toserver, ttl);
|
|
|
|
|
}
|
|
|
|
|
f->max_ttl_toserver = MAX(f->max_ttl_toserver, ttl);
|
|
|
|
|
if (f->min_ttl_toserver == 0) {
|
|
|
|
|
f->min_ttl_toserver = ttl;
|
|
|
|
|
} else {
|
|
|
|
|
if (f->min_ttl_toclient == 0) {
|
|
|
|
|
f->min_ttl_toclient = ttl;
|
|
|
|
|
} else {
|
|
|
|
|
f->min_ttl_toclient = MIN(f->min_ttl_toclient, ttl);
|
|
|
|
|
}
|
|
|
|
|
f->max_ttl_toclient = MAX(f->max_ttl_toclient, ttl);
|
|
|
|
|
f->min_ttl_toserver = MIN(f->min_ttl_toserver, ttl);
|
|
|
|
|
}
|
|
|
|
|
f->max_ttl_toserver = MAX(f->max_ttl_toserver, ttl);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void FlowUpdateTtlTC(Flow *f, Packet *p, uint8_t ttl)
|
|
|
|
|
{
|
|
|
|
|
if (f->min_ttl_toclient == 0) {
|
|
|
|
|
f->min_ttl_toclient = ttl;
|
|
|
|
|
} else {
|
|
|
|
|
f->min_ttl_toclient = MIN(f->min_ttl_toclient, ttl);
|
|
|
|
|
}
|
|
|
|
|
f->max_ttl_toclient = MAX(f->max_ttl_toclient, ttl);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void FlowUpdateEthernet(ThreadVars *tv, DecodeThreadVars *dtv,
|
|
|
|
|
@ -390,6 +391,7 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars
|
|
|
|
|
{
|
|
|
|
|
SCLogDebug("packet %"PRIu64" -- flow %p", p->pcap_cnt, f);
|
|
|
|
|
|
|
|
|
|
const int pkt_dir = FlowGetPacketDirection(f, p);
|
|
|
|
|
#ifdef CAPTURE_OFFLOAD
|
|
|
|
|
int state = f->flow_state;
|
|
|
|
|
|
|
|
|
|
@ -420,7 +422,7 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
/* update flags and counters */
|
|
|
|
|
if (FlowGetPacketDirection(f, p) == TOSERVER) {
|
|
|
|
|
if (pkt_dir == TOSERVER) {
|
|
|
|
|
f->todstpktcnt++;
|
|
|
|
|
f->todstbytecnt += GET_PKT_LEN(p);
|
|
|
|
|
p->flowflags = FLOW_PKT_TOSERVER;
|
|
|
|
|
@ -436,6 +438,12 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars
|
|
|
|
|
p->flags |= PKT_PROTO_DETECT_TS_DONE;
|
|
|
|
|
}
|
|
|
|
|
FlowUpdateEthernet(tv, dtv, f, p->ethh, true);
|
|
|
|
|
/* update flow's ttl fields if needed */
|
|
|
|
|
if (PKT_IS_IPV4(p)) {
|
|
|
|
|
FlowUpdateTtlTS(f, p, IPV4_GET_IPTTL(p));
|
|
|
|
|
} else if (PKT_IS_IPV6(p)) {
|
|
|
|
|
FlowUpdateTtlTS(f, p, IPV6_GET_HLIM(p));
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
f->tosrcpktcnt++;
|
|
|
|
|
f->tosrcbytecnt += GET_PKT_LEN(p);
|
|
|
|
|
@ -452,6 +460,12 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars
|
|
|
|
|
p->flags |= PKT_PROTO_DETECT_TC_DONE;
|
|
|
|
|
}
|
|
|
|
|
FlowUpdateEthernet(tv, dtv, f, p->ethh, false);
|
|
|
|
|
/* update flow's ttl fields if needed */
|
|
|
|
|
if (PKT_IS_IPV4(p)) {
|
|
|
|
|
FlowUpdateTtlTC(f, p, IPV4_GET_IPTTL(p));
|
|
|
|
|
} else if (PKT_IS_IPV6(p)) {
|
|
|
|
|
FlowUpdateTtlTC(f, p, IPV6_GET_HLIM(p));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (f->flow_state == FLOW_STATE_ESTABLISHED) {
|
|
|
|
|
@ -480,13 +494,6 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars
|
|
|
|
|
SCLogDebug("setting FLOW_NOPAYLOAD_INSPECTION flag on flow %p", f);
|
|
|
|
|
DecodeSetNoPayloadInspectionFlag(p);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* update flow's ttl fields if needed */
|
|
|
|
|
if (PKT_IS_IPV4(p)) {
|
|
|
|
|
FlowUpdateTTL(f, p, IPV4_GET_IPTTL(p));
|
|
|
|
|
} else if (PKT_IS_IPV6(p)) {
|
|
|
|
|
FlowUpdateTTL(f, p, IPV6_GET_HLIM(p));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \brief Entry point for packet flow handling
|
|
|
|
|
|
Victor Julien
7 years ago