NSM: add TTL fields for netflow log

8 years ago · ac18ef01c2
parent 7ac6e0afb3
commit ac18ef01c2
4 changed files with 14 additions and 30 deletions
--- a/src/flow-util.c
+++ b/src/flow-util.c
@ -137,12 +137,12 @@ void FlowInit(Flow *f, const Packet *p)
    if (PKT_IS_IPV4(p)) {
        FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(p, &f->src);
        FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(p, &f->dst);
-        FLOW_SET_IPV4_TTL_FROM_PACKET(p, f);
+        f->min_ttl_toserver = f->max_ttl_toserver = IPV4_GET_IPTTL((p));
        f->flags |= FLOW_IPV4;
    } else if (PKT_IS_IPV6(p)) {
        FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(p, &f->src);
        FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(p, &f->dst);
-        FLOW_SET_IPV6_HLIM_FROM_PACKET(p, f);
+        f->min_ttl_toserver = f->max_ttl_toserver = IPV6_GET_HLIM((p));
        f->flags |= FLOW_IPV6;
    }
 #ifdef DEBUG
--- a/src/flow.c
+++ b/src/flow.c
@ -269,23 +269,19 @@ static inline int FlowUpdateSeenFlag(const Packet *p)
 static inline void FlowUpdateTTL(Flow *f, Packet *p, uint8_t ttl)
 {
    if (FlowGetPacketDirection(f, p) == TOSERVER) {
-        if (ttl < f->min_ttl_toserver) {
+        if (f->min_ttl_toserver == 0) {
            f->min_ttl_toserver = ttl;
-        } else if (f->min_ttl_toserver == 0) {
+        } else {
-            f->min_ttl_toserver = ttl;
+            f->min_ttl_toserver = MIN(f->min_ttl_toserver, ttl);
        }
        if (ttl > f->max_ttl_toserver) {
            f->max_ttl_toserver = ttl;
        }
        f->max_ttl_toserver = MAX(f->max_ttl_toserver, ttl);
    } else {
-        if (ttl < f->min_ttl_toclient) {
+        if (f->min_ttl_toclient == 0) {
            f->min_ttl_toclient = ttl;
-        } else if (f->min_ttl_toclient == 0) {
+        } else {
-            f->min_ttl_toclient = ttl;
+            f->min_ttl_toclient = MIN(f->min_ttl_toclient, ttl);
        }
        if (ttl > f->max_ttl_toclient) {
            f->max_ttl_toclient = ttl;
        }
        f->max_ttl_toclient = MAX(f->max_ttl_toclient, ttl);
    }
 }
@ -371,11 +367,9 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p)
    /* update flow's ttl fields if needed */
    if (PKT_IS_IPV4(p)) {
-        uint8_t ttl = IPV4_GET_IPTTL(p);
+        FlowUpdateTTL(f, p, IPV4_GET_IPTTL(p));
        FlowUpdateTTL(f, p, ttl);
    } else if (PKT_IS_IPV6(p)) {
-        uint8_t ttl = IPV6_GET_HLIM(p);
+        FlowUpdateTTL(f, p, IPV6_GET_HLIM(p));
        FlowUpdateTTL(f, p, ttl);
    }
 }
--- a/src/flow.h
+++ b/src/flow.h
@ -183,16 +183,6 @@ typedef struct AppLayerParserState_ AppLayerParserState;
        (a)->addr_data32[3] = (p)->ip6h->s_ip6_dst[3];  \
    } while (0)
 #define FLOW_SET_IPV4_TTL_FROM_PACKET(p, f) do {    \
        (f)->min_ttl_toserver = IPV4_GET_IPTTL((p));         \
        (f)->max_ttl_toserver = IPV4_GET_IPTTL((p));         \
    } while (0)
 #define FLOW_SET_IPV6_HLIM_FROM_PACKET(p, f) do {   \
        (f)->min_ttl_toserver = IPV6_GET_HLIM((p));          \
        (f)->max_ttl_toserver = IPV6_GET_HLIM((p));          \
    } while (0)
 /* pkt flow flags */
 #define FLOW_PKT_TOSERVER               0x01
 #define FLOW_PKT_TOCLIENT               0x02
@ -340,11 +330,11 @@ typedef struct Flow_
    };
    uint8_t proto;
    uint8_t recursion_level;
    uint16_t vlan_id[2];
    uint8_t min_ttl_toserver;
    uint8_t max_ttl_toserver;
    uint8_t min_ttl_toclient;
    uint8_t max_ttl_toclient;
    uint16_t vlan_id[2];
    /** flow hash - the flow hash before hash table size mod. */
    uint32_t flow_hash;
--- a/src/output-json-netflow.c
+++ b/src/output-json-netflow.c
@ -267,7 +267,7 @@ static void JsonNetFlowLogJSONToClient(JsonNetFlowLogThread *aft, json_t *js, Fl
            json_integer(age));
    /* To client is zero if we did not see any packet */
-    if (f->max_ttl_toclient) {
+    if (f->tosrcpktcnt) {
        json_object_set_new(hjs, "min_ttl", json_integer(f->min_ttl_toclient));
        json_object_set_new(hjs, "max_ttl", json_integer(f->max_ttl_toclient));
    }