eve/stream: log tcp reuse flag in packets

2 years ago · ee76b27535
parent 2bb1e5a38a
commit ee76b27535
3 changed files with 5 additions and 0 deletions
--- a/src/flow-hash.c
+++ b/src/flow-hash.c
@ -720,6 +720,8 @@ static Flow *TcpReuseReplace(ThreadVars *tv, FlowLookupStruct *fls, FlowBucket *

    f->thread_id[0] = thread_id[0];
    f->thread_id[1] = thread_id[1];
+
+    STREAM_PKT_FLAG_SET(p, STREAM_PKT_FLAG_TCP_PORT_REUSE);
    return f;
 }

--- a/src/output-eve-stream.c
+++ b/src/output-eve-stream.c
@ -348,6 +348,8 @@ static int EveStreamLogger(ThreadVars *tv, void *thread_data, const Packet *p)
            jb_append_string(js, "dsack");
        if (p->tcpvars.stream_pkt_flags & STREAM_PKT_FLAG_ACK_UNSEEN_DATA)
            jb_append_string(js, "ack_unseen_data");
+        if (p->tcpvars.stream_pkt_flags & STREAM_PKT_FLAG_TCP_PORT_REUSE)
+            jb_append_string(js, "tcp_port_reuse");
        jb_close(js);
    }
    jb_close(js);
--- a/src/stream-tcp-private.h
+++ b/src/stream-tcp-private.h
@ -309,6 +309,7 @@ typedef struct TcpSession_ {
 #define STREAM_PKT_FLAG_DUP_ACK                 BIT_U16(7)
 #define STREAM_PKT_FLAG_DSACK                   BIT_U16(8)
 #define STREAM_PKT_FLAG_ACK_UNSEEN_DATA         BIT_U16(9)
+#define STREAM_PKT_FLAG_TCP_PORT_REUSE          BIT_U16(10)

 #define STREAM_PKT_FLAG_SET(p, f) (p)->tcpvars.stream_pkt_flags |= (f)