tcp: track TCP packet flags per session

For logging out in flow logging.
11 years ago · fddeca8aae
parent ec7d446f16
commit fddeca8aae
2 changed files with 8 additions and 0 deletions
--- a/src/stream-tcp-private.h
+++ b/src/stream-tcp-private.h
@ -210,6 +210,8 @@ typedef struct TcpSession_ {
    uint8_t state;
    uint8_t queue_len;                      /**< length of queue list below */
    int8_t data_first_seen_dir;
+    /** track all the tcp flags we've seen */
+    uint8_t tcp_packet_flags;
    /* coccinelle: TcpSession:flags:STREAMTCP_FLAG */
    uint16_t flags;
    TcpStream server;
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@ -654,6 +654,7 @@ TcpSession *StreamTcpNewSession (Packet *p, int id)

        ssn->state = TCP_NONE;
        ssn->flags = stream_config.ssn_init_flags;
+        ssn->tcp_packet_flags = p->tcph ? p->tcph->th_flags : 0;
    }

    return ssn;
@ -4197,6 +4198,11 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,

    TcpSession *ssn = (TcpSession *)p->flow->protoctx;

+    /* track TCP flags */
+    if (ssn != NULL) {
+        ssn->tcp_packet_flags |= p->tcph->th_flags;
+    }
+
    /* update counters */
    if ((p->tcph->th_flags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) {
        SCPerfCounterIncr(stt->counter_tcp_synack, tv->sc_perf_pca);