netflow: log ttl fields

Netflow entry collects the minimum and maximum time to live during the life of the incoming flow. This adds those field to a netflow event. Signed-off-by: Eric Leblond <eric@regit.org>
9 years ago · 2e5422df8e
parent 9556d4fef3
commit 2e5422df8e
4 changed files with 35 additions and 0 deletions
--- a/src/flow-util.c
+++ b/src/flow-util.c
@ -137,10 +137,12 @@ void FlowInit(Flow *f, const Packet *p)
    if (PKT_IS_IPV4(p)) {
        FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(p, &f->src);
        FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(p, &f->dst);
+        FLOW_SET_IPV4_TTL_FROM_PACKET(p, f);
        f->flags |= FLOW_IPV4;
    } else if (PKT_IS_IPV6(p)) {
        FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(p, &f->src);
        FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(p, &f->dst);
+        FLOW_SET_IPV6_HLIM_FROM_PACKET(p, f);
        f->flags |= FLOW_IPV6;
    }
 #ifdef DEBUG
--- a/src/flow.c
+++ b/src/flow.c
@ -344,6 +344,24 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p)
        SCLogDebug("setting FLOW_NOPAYLOAD_INSPECTION flag on flow %p", f);
        DecodeSetNoPayloadInspectionFlag(p);
    }
+
+
+    /* update flow's ttl fields if needed */
+    if (PKT_IS_IPV4(p)) {
+        uint8_t ttl = IPV4_GET_IPTTL(p);
+        if (ttl < f->min_ttl) {
+            f->min_ttl = ttl;
+        } else if (ttl > f->max_ttl) {
+            f->max_ttl = ttl;
+        }
+    } else if (PKT_IS_IPV6(p)) {
+        uint8_t ttl = IPV6_GET_HLIM(p);
+        if (ttl < f->min_ttl) {
+            f->min_ttl = ttl;
+        } else if (ttl > f->max_ttl) {
+            f->max_ttl = ttl;
+        }
+    }
 }

 /** \brief Entry point for packet flow handling
--- a/src/flow.h
+++ b/src/flow.h
@ -183,6 +183,16 @@ typedef struct AppLayerParserState_ AppLayerParserState;
        (a)->addr_data32[3] = (p)->ip6h->s_ip6_dst[3];  \
    } while (0)

+#define FLOW_SET_IPV4_TTL_FROM_PACKET(p, f) do {    \
+        (f)->min_ttl = IPV4_GET_IPTTL((p));         \
+        (f)->max_ttl = IPV4_GET_IPTTL((p));         \
+    } while (0)
+
+#define FLOW_SET_IPV6_HLIM_FROM_PACKET(p, f) do {   \
+        (f)->min_ttl = IPV6_GET_HLIM((p));          \
+        (f)->max_ttl = IPV6_GET_HLIM((p));          \
+    } while (0)
+
 /* pkt flow flags */
 #define FLOW_PKT_TOSERVER               0x01
 #define FLOW_PKT_TOCLIENT               0x02
@ -330,6 +340,8 @@ typedef struct Flow_
    };
    uint8_t proto;
    uint8_t recursion_level;
+    uint8_t min_ttl;
+    uint8_t max_ttl;
    uint16_t vlan_id[2];

    /** flow hash - the flow hash before hash table size mod. */
--- a/src/output-json-netflow.c
+++ b/src/output-json-netflow.c
@ -214,6 +214,9 @@ static void JsonNetFlowLogJSONToServer(JsonNetFlowLogThread *aft, json_t *js, Fl
    json_object_set_new(hjs, "age",
            json_integer(age));

+    json_object_set_new(hjs, "min_ttl", json_integer(f->min_ttl));
+    json_object_set_new(hjs, "max_ttl", json_integer(f->max_ttl));
+
    json_object_set_new(js, "netflow", hjs);

    /* TCP */