suricata
flow-timeout.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 #include "decode.h"
27 #include "conf.h"
28 #include "threadvars.h"
29 #include "tm-threads.h"
30 #include "runmodes.h"
31 
32 #include "util-random.h"
33 #include "util-time.h"
34 
35 #include "flow.h"
36 #include "flow-queue.h"
37 #include "flow-hash.h"
38 #include "flow-util.h"
39 #include "flow-var.h"
40 #include "flow-private.h"
41 #include "flow-manager.h"
42 #include "flow-timeout.h"
43 #include "pkt-var.h"
44 #include "host.h"
45 
46 #include "stream-tcp-private.h"
47 #include "stream-tcp-reassemble.h"
48 #include "stream-tcp.h"
49 
50 #include "util-unittest.h"
51 #include "util-unittest-helper.h"
52 #include "util-byte.h"
53 
54 #include "util-debug.h"
55 #include "util-privs.h"
56 
57 #include "detect.h"
58 #include "detect-engine-state.h"
59 #include "stream.h"
60 
61 #include "app-layer-parser.h"
62 #include "app-layer.h"
63 
64 #include "util-profiling.h"
65 
66 /**
67  * \internal
68  * \brief Pseudo packet setup for flow forced reassembly.
69  *
70  * \param direction Direction of the packet. 0 indicates toserver and 1
71  * indicates toclient.
72  * \param f Pointer to the flow.
73  * \param ssn Pointer to the tcp session.
74  * \param dummy Indicates to create a dummy pseudo packet. Not all pseudo
75  * packets need to force reassembly, in which case we just
76  * set dummy ack/seq values.
77  */
78 static inline Packet *FlowForceReassemblyPseudoPacketSetup(Packet *p,
79  int direction,
80  Flow *f,
81  TcpSession *ssn)
82 {
83  const int orig_dir = direction;
84  p->tenant_id = f->tenant_id;
85  p->datalink = DLT_RAW;
86  p->proto = IPPROTO_TCP;
87  FlowReference(&p->flow, f);
88  p->flags |= PKT_STREAM_EST;
89  p->flags |= PKT_STREAM_EOF;
90  p->flags |= PKT_HAS_FLOW;
92  p->vlan_id[0] = f->vlan_id[0];
93  p->vlan_id[1] = f->vlan_id[1];
94  p->vlan_idx = f->vlan_idx;
95  p->livedev = (struct LiveDevice_ *)f->livedev;
96 
99  }
100  if (f->flags & FLOW_NOPAYLOAD_INSPECTION) {
102  }
103 
104  if (direction == 0)
106  else
109  p->payload = NULL;
110  p->payload_len = 0;
111 
112  /* apply reversed flow logic after setting direction to the packet */
113  direction ^= ((f->flags & FLOW_DIR_REVERSED) != 0);
114 
115  if (FLOW_IS_IPV4(f)) {
116  if (direction == 0) {
119  p->sp = f->sp;
120  p->dp = f->dp;
121  } else {
124  p->sp = f->dp;
125  p->dp = f->sp;
126  }
127 
128  /* Check if we have enough room in direct data. We need ipv4 hdr + tcp hdr.
129  * Force an allocation if it is not the case.
130  */
131  if (GET_PKT_DIRECT_MAX_SIZE(p) < 40) {
132  if (PacketCallocExtPkt(p, 40) == -1) {
133  goto error;
134  }
135  }
136  /* set the ip header */
137  p->ip4h = (IPV4Hdr *)GET_PKT_DATA(p);
138  /* version 4 and length 20 bytes for the tcp header */
139  p->ip4h->ip_verhl = 0x45;
140  p->ip4h->ip_tos = 0;
141  p->ip4h->ip_len = htons(40);
142  p->ip4h->ip_id = 0;
143  p->ip4h->ip_off = 0;
144  p->ip4h->ip_ttl = 64;
145  p->ip4h->ip_proto = IPPROTO_TCP;
146  //p->ip4h->ip_csum =
147  if (direction == 0) {
148  p->ip4h->s_ip_src.s_addr = f->src.addr_data32[0];
149  p->ip4h->s_ip_dst.s_addr = f->dst.addr_data32[0];
150  } else {
151  p->ip4h->s_ip_src.s_addr = f->dst.addr_data32[0];
152  p->ip4h->s_ip_dst.s_addr = f->src.addr_data32[0];
153  }
154 
155  /* set the tcp header */
156  p->tcph = (TCPHdr *)((uint8_t *)GET_PKT_DATA(p) + 20);
157 
158  SET_PKT_LEN(p, 40); /* ipv4 hdr + tcp hdr */
159 
160  } else if (FLOW_IS_IPV6(f)) {
161  if (direction == 0) {
164  p->sp = f->sp;
165  p->dp = f->dp;
166  } else {
169  p->sp = f->dp;
170  p->dp = f->sp;
171  }
172 
173  /* Check if we have enough room in direct data. We need ipv6 hdr + tcp hdr.
174  * Force an allocation if it is not the case.
175  */
176  if (GET_PKT_DIRECT_MAX_SIZE(p) < 60) {
177  if (PacketCallocExtPkt(p, 60) == -1) {
178  goto error;
179  }
180  }
181  /* set the ip header */
182  p->ip6h = (IPV6Hdr *)GET_PKT_DATA(p);
183  /* version 6 */
184  p->ip6h->s_ip6_vfc = 0x60;
185  p->ip6h->s_ip6_flow = 0;
186  p->ip6h->s_ip6_nxt = IPPROTO_TCP;
187  p->ip6h->s_ip6_plen = htons(20);
188  p->ip6h->s_ip6_hlim = 64;
189  if (direction == 0) {
190  p->ip6h->s_ip6_src[0] = f->src.addr_data32[0];
191  p->ip6h->s_ip6_src[1] = f->src.addr_data32[1];
192  p->ip6h->s_ip6_src[2] = f->src.addr_data32[2];
193  p->ip6h->s_ip6_src[3] = f->src.addr_data32[3];
194  p->ip6h->s_ip6_dst[0] = f->dst.addr_data32[0];
195  p->ip6h->s_ip6_dst[1] = f->dst.addr_data32[1];
196  p->ip6h->s_ip6_dst[2] = f->dst.addr_data32[2];
197  p->ip6h->s_ip6_dst[3] = f->dst.addr_data32[3];
198  } else {
199  p->ip6h->s_ip6_src[0] = f->dst.addr_data32[0];
200  p->ip6h->s_ip6_src[1] = f->dst.addr_data32[1];
201  p->ip6h->s_ip6_src[2] = f->dst.addr_data32[2];
202  p->ip6h->s_ip6_src[3] = f->dst.addr_data32[3];
203  p->ip6h->s_ip6_dst[0] = f->src.addr_data32[0];
204  p->ip6h->s_ip6_dst[1] = f->src.addr_data32[1];
205  p->ip6h->s_ip6_dst[2] = f->src.addr_data32[2];
206  p->ip6h->s_ip6_dst[3] = f->src.addr_data32[3];
207  }
208 
209  /* set the tcp header */
210  p->tcph = (TCPHdr *)((uint8_t *)GET_PKT_DATA(p) + 40);
211 
212  SET_PKT_LEN(p, 60); /* ipv6 hdr + tcp hdr */
213  }
214 
215  p->tcph->th_offx2 = 0x50;
216  p->tcph->th_flags |= TH_ACK;
217  p->tcph->th_win = 10;
218  p->tcph->th_urp = 0;
219 
220  /* to server */
221  if (orig_dir == 0) {
222  p->tcph->th_sport = htons(f->sp);
223  p->tcph->th_dport = htons(f->dp);
224 
225  p->tcph->th_seq = htonl(ssn->client.next_seq);
226  p->tcph->th_ack = htonl(ssn->server.last_ack);
227 
228  /* to client */
229  } else {
230  p->tcph->th_sport = htons(f->dp);
231  p->tcph->th_dport = htons(f->sp);
232 
233  p->tcph->th_seq = htonl(ssn->server.next_seq);
234  p->tcph->th_ack = htonl(ssn->client.last_ack);
235  }
236 
237  if (FLOW_IS_IPV4(f)) {
238  p->tcph->th_sum = TCPChecksum(p->ip4h->s_ip_addrs,
239  (uint16_t *)p->tcph, 20, 0);
240  /* calc ipv4 csum as we may log it and barnyard might reject
241  * a wrong checksum */
242  p->ip4h->ip_csum = IPV4Checksum((uint16_t *)p->ip4h,
243  IPV4_GET_RAW_HLEN(p->ip4h), 0);
244  } else if (FLOW_IS_IPV6(f)) {
245  p->tcph->th_sum = TCPChecksum(p->ip6h->s_ip6_addrs,
246  (uint16_t *)p->tcph, 20, 0);
247  }
248 
249  memset(&p->ts, 0, sizeof(struct timeval));
250  TimeGet(&p->ts);
251 
252  if (direction == 0) {
253  if (f->alparser && !STREAM_HAS_SEEN_DATA(&ssn->client)) {
255  }
256  } else {
257  if (f->alparser && !STREAM_HAS_SEEN_DATA(&ssn->server)) {
259  }
260  }
261 
262  return p;
263 
264 error:
265  FlowDeReference(&p->flow);
266  return NULL;
267 }
268 
270  Flow *f,
271  TcpSession *ssn);
273  Flow *f,
274  TcpSession *ssn)
275 {
276  PacketPoolWait();
278  if (p == NULL) {
279  return NULL;
280  }
281 
283 
284  return FlowForceReassemblyPseudoPacketSetup(p, direction, f, ssn);
285 }
286 
287 /**
288  * \brief Check if a flow needs forced reassembly, or any other processing
289  *
290  * \param f *LOCKED* flow
291  *
292  * \retval 0 no
293  * \retval 1 yes
294  */
296 {
297 
298  if (f == NULL || f->protoctx == NULL) {
299  SCReturnInt(0);
300  }
301 
302  TcpSession *ssn = (TcpSession *)f->protoctx;
303  int client = StreamNeedsReassembly(ssn, STREAM_TOSERVER);
304  int server = StreamNeedsReassembly(ssn, STREAM_TOCLIENT);
305 
306  /* if state is not fully closed we assume that we haven't fully
307  * inspected the app layer state yet */
308  if (ssn->state >= TCP_ESTABLISHED && ssn->state != TCP_CLOSED)
309  {
312  }
313 
314  /* if app layer still needs some love, push through */
315  if (f->alproto != ALPROTO_UNKNOWN && f->alstate != NULL) {
316  const uint64_t total_txs = AppLayerParserGetTxCnt(f, f->alstate);
317 
319  {
321  }
323  {
325  }
326  }
327 
328  /* nothing to do */
329  if (client == STREAM_HAS_UNPROCESSED_SEGMENTS_NONE &&
331  SCReturnInt(0);
332  }
333 
334  f->ffr_ts = client;
335  f->ffr_tc = server;
336  SCReturnInt(1);
337 }
338 
339 /**
340  * \internal
341  * \brief Forces reassembly for flow if it needs it.
342  *
343  * The function requires flow to be locked beforehand.
344  *
345  * \param f Pointer to the flow.
346  *
347  * \retval 0 This flow doesn't need any reassembly processing; 1 otherwise.
348  */
350 {
351  const int thread_id = (int)f->thread_id[0];
352  TmThreadsInjectFlowById(f, thread_id);
353 }
354 
355 /**
356  * \internal
357  * \brief Forces reassembly for flows that need it.
358  *
359  * When this function is called we're running in virtually dead engine,
360  * so locking the flows is not strictly required. The reasons it is still
361  * done are:
362  * - code consistency
363  * - silence complaining profilers
364  * - allow us to aggressively check using debug valdation assertions
365  * - be robust in case of future changes
366  * - locking overhead if neglectable when no other thread fights us
367  *
368  * \param q The queue to process flows from.
369  */
370 static inline void FlowForceReassemblyForHash(void)
371 {
372  for (uint32_t idx = 0; idx < flow_config.hash_size; idx++) {
373  FlowBucket *fb = &flow_hash[idx];
374 
376  FBLOCK_LOCK(fb);
377 
378  Flow *f = fb->head;
379  Flow *prev_f = NULL;
380 
381  /* we need to loop through all the flows in the queue */
382  while (f != NULL) {
383  Flow *next_f = f->next;
385 
386  FLOWLOCK_WRLOCK(f);
387 
388  /* Get the tcp session for the flow */
389  TcpSession *ssn = (TcpSession *)f->protoctx;
390  /* \todo Also skip flows that shouldn't be inspected */
391  if (ssn == NULL) {
392  FLOWLOCK_UNLOCK(f);
393  prev_f = f;
394  f = next_f;
395  continue;
396  }
397 
398  /* in case of additional work, we pull the flow out of the
399  * hash and xfer ownership to the injected packet(s) */
400  if (FlowForceReassemblyNeedReassembly(f) == 1) {
401  RemoveFromHash(f, prev_f);
404  f = next_f;
405  continue;
406  }
407 
408  FLOWLOCK_UNLOCK(f);
409 
410  /* next flow in the queue */
411  prev_f = f;
412  f = f->next;
413  }
414  FBLOCK_UNLOCK(fb);
415  }
416  return;
417 }
418 
419 /**
420  * \brief Force reassembly for all the flows that have unprocessed segments.
421  */
423 {
424  /* Carry out flow reassembly for unattended flows */
425  FlowForceReassemblyForHash();
426  return;
427 }
Flow_::ffr_tc
uint8_t ffr_tc
Definition: flow.h:388
util-byte.h
host.h
tm-threads.h
Packet_::proto
uint8_t proto
Definition: decode.h:438
DecodeSetNoPacketInspectionFlag
#define DecodeSetNoPacketInspectionFlag(p)
Set the No packet inspection Flag for the packet.
Definition: decode.h:1015
FlowForceReassemblyForFlow
void FlowForceReassemblyForFlow(Flow *f)
Definition: flow-timeout.c:349
Flow_::ffr_ts
uint8_t ffr_ts
Definition: flow.h:387
FLOW_IS_IPV6
#define FLOW_IS_IPV6(f)
Definition: flow.h:157
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1129
IPV4Hdr_::ip_ttl
uint8_t ip_ttl
Definition: decode-ipv4.h:77
flow-util.h
FBLOCK_LOCK
#define FBLOCK_LOCK(fb)
Definition: flow-hash.h:71
Packet_::vlan_id
uint16_t vlan_id[2]
Definition: decode.h:443
stream-tcp.h
FlowCnf_::hash_size
uint32_t hash_size
Definition: flow.h:288
Packet_::payload
uint8_t * payload
Definition: decode.h:553
Packet_::flags
uint32_t flags
Definition: decode.h:451
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:444
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:350
LiveDevice_
Definition: util-device.h:40
flow-hash.h
FLOW_NOPAYLOAD_INSPECTION
#define FLOW_NOPAYLOAD_INSPECTION
Definition: flow.h:65
Flow_::vlan_id
uint16_t vlan_id[2]
Definition: flow.h:374
FlowForceReassembly
void FlowForceReassembly(void)
Force reassembly for all the flows that have unprocessed segments.
Definition: flow-timeout.c:422
IPV4Hdr_::ip_id
uint16_t ip_id
Definition: decode-ipv4.h:75
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:222
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:143
IPV4Hdr_::ip_tos
uint8_t ip_tos
Definition: decode-ipv4.h:73
StreamNeedsReassembly
int StreamNeedsReassembly(const TcpSession *ssn, uint8_t direction)
see what if any work the TCP session still needs
Definition: stream-tcp-reassemble.c:803
util-privs.h
stream-tcp-reassemble.h
Flow_::dp
Port dp
Definition: flow.h:366
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:447
APP_LAYER_PARSER_EOF_TS
#define APP_LAYER_PARSER_EOF_TS
Definition: app-layer-parser.h:41
Flow_::protoctx
void * protoctx
Definition: flow.h:448
GET_PKT_DIRECT_MAX_SIZE
#define GET_PKT_DIRECT_MAX_SIZE(p)
Definition: decode.h:235
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:554
util-unittest.h
STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_ONLY_DETECTION
@ STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_ONLY_DETECTION
Definition: stream-tcp.h:174
util-unittest-helper.h
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:267
TmThreadsInjectFlowById
void TmThreadsInjectFlowById(Flow *f, const int id)
inject a flow into a threads flow queue
Definition: tm-threads.c:2347
FLOW_COPY_IPV6_ADDR_TO_PACKET
#define FLOW_COPY_IPV6_ADDR_TO_PACKET(fa, pa)
Definition: flow.h:170
Packet_::datalink
int datalink
Definition: decode.h:587
TcpStream_::last_ack
uint32_t last_ack
Definition: stream-tcp-private.h:103
IPV4Hdr_::ip_len
uint16_t ip_len
Definition: decode-ipv4.h:74
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:482
Flow_::dst
FlowAddress dst
Definition: flow.h:353
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition: decode.h:237
decode.h
util-debug.h
AppLayerParserGetTransactionActive
uint64_t AppLayerParserGetTransactionActive(const Flow *f, AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:1117
STREAM_HAS_SEEN_DATA
#define STREAM_HAS_SEEN_DATA(stream)
Definition: stream-tcp-private.h:92
STREAM_HAS_UNPROCESSED_SEGMENTS_NONE
@ STREAM_HAS_UNPROCESSED_SEGMENTS_NONE
Definition: stream-tcp.h:171
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1130
DecodeSetNoPayloadInspectionFlag
#define DecodeSetNoPayloadInspectionFlag(p)
Set the No payload inspection Flag for the packet.
Definition: decode.h:1003
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:264
FlowForceReassemblyNeedReassembly
int FlowForceReassemblyNeedReassembly(Flow *f)
Check if a flow needs forced reassembly, or any other processing.
Definition: flow-timeout.c:295
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:233
PacketPoolWaitForN
void PacketPoolWaitForN(int n)
Wait until we have the requested amount of packets in the pool.
Definition: tmqh-packetpool.c:113
detect.h
Flow_::flow_end_flags
uint8_t flow_end_flags
Definition: flow.h:454
pkt-var.h
Packet_::sp
Port sp
Definition: decode.h:423
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:95
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:262
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
util-time.h
app-layer-parser.h
FLOW_IS_IPV4
#define FLOW_IS_IPV4(f)
Definition: flow.h:155
util-profiling.h
PacketCallocExtPkt
int PacketCallocExtPkt(Packet *p, int datalen)
Definition: decode.c:201
PacketPoolWait
void PacketPoolWait(void)
Definition: tmqh-packetpool.c:84
stream.h
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:416
stream-tcp-private.h
APP_LAYER_PARSER_EOF_TC
#define APP_LAYER_PARSER_EOF_TC
Definition: app-layer-parser.h:42
conf.h
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:511
FBLOCK_UNLOCK
#define FBLOCK_UNLOCK(fb)
Definition: flow-hash.h:73
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:566
PKT_STREAM_EOF
#define PKT_STREAM_EOF
Definition: decode.h:1128
Flow_::vlan_idx
uint8_t vlan_idx
Definition: flow.h:382
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
flow-timeout.h
flow-queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:223
runmodes.h
Flow_::src
FlowAddress src
Definition: flow.h:353
Flow_::next
struct Flow_ * next
Definition: flow.h:401
IPV4Hdr_
Definition: decode-ipv4.h:71
TCP_CLOSED
@ TCP_CLOSED
Definition: stream-tcp-private.h:150
flow_hash
FlowBucket * flow_hash
Definition: flow-hash.c:56
Packet_::flow
struct Flow_ * flow
Definition: decode.h:453
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:607
Packet_::ts
struct timeval ts
Definition: decode.h:459
flow-manager.h
suricata-common.h
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:533
flow_config
FlowConfig flow_config
Definition: flow.c:98
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FlowForceReassemblyPseudoPacketGet
Packet * FlowForceReassemblyPseudoPacketGet(int direction, Flow *f, TcpSession *ssn)
Definition: flow-timeout.c:272
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:272
Flow_::livedev
struct LiveDevice_ * livedev
Definition: flow.h:403
PACKET_PROFILING_START
#define PACKET_PROFILING_START(p)
Definition: util-profiling.h:92
TcpStream_::next_seq
uint32_t next_seq
Definition: stream-tcp-private.h:102
threadvars.h
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:271
Flow_::alstate
void * alstate
Definition: flow.h:483
Flow_::flags
uint32_t flags
Definition: flow.h:428
PacketPoolGetPacket
Packet * PacketPoolGetPacket(void)
Get a new packet from the packet pool.
Definition: tmqh-packetpool.c:185
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
util-random.h
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:224
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:153
IPV4Hdr_::ip_csum
uint16_t ip_csum
Definition: decode-ipv4.h:79
FLOW_END_FLAG_SHUTDOWN
#define FLOW_END_FLAG_SHUTDOWN
Definition: flow.h:239
suricata.h
Packet_::dst
Address dst
Definition: decode.h:421
AppLayerParserStateSetFlag
void AppLayerParserStateSetFlag(AppLayerParserState *pstate, uint8_t flag)
Definition: app-layer-parser.c:1630
FLOW_NOPACKET_INSPECTION
#define FLOW_NOPACKET_INSPECTION
Definition: flow.h:63
IPV4Hdr_::ip_off
uint16_t ip_off
Definition: decode-ipv4.h:76
Flow_::sp
Port sp
Definition: flow.h:355
Packet_::ip6h
IPV6Hdr * ip6h
Definition: decode.h:513
TcpSession_
Definition: stream-tcp-private.h:260
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:457
Packet_::dp
Port dp
Definition: decode.h:431
FLOW_DIR_REVERSED
#define FLOW_DIR_REVERSED
Definition: flow.h:110
IPV4Hdr_::ip_proto
uint8_t ip_proto
Definition: decode-ipv4.h:78
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1067
IPV4Hdr_::ip_verhl
uint8_t ip_verhl
Definition: decode-ipv4.h:72
Packet_::src
Address src
Definition: decode.h:420
Flow_::tenant_id
uint32_t tenant_id
Definition: flow.h:423
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1127
Flow_::thread_id
FlowThreadId thread_id[2]
Definition: flow.h:399
app-layer.h
FLOW_COPY_IPV4_ADDR_TO_PACKET
#define FLOW_COPY_IPV4_ADDR_TO_PACKET(fa, pa)
Definition: flow.h:165