85 #define STREAMTCP_DEFAULT_PREALLOC 2048
86 #define STREAMTCP_DEFAULT_MEMCAP (64 * 1024 * 1024)
87 #define STREAMTCP_DEFAULT_REASSEMBLY_MEMCAP (256 * 1024 * 1024)
88 #define STREAMTCP_DEFAULT_TOSERVER_CHUNK_SIZE 2560
89 #define STREAMTCP_DEFAULT_TOCLIENT_CHUNK_SIZE 2560
90 #define STREAMTCP_DEFAULT_MAX_SYNACK_QUEUED 5
112 static uint64_t ssn_pool_cnt = 0;
133 #ifdef DEBUG_VALIDATION
136 BUG_ON(presize > UINT_MAX);
142 #ifdef DEBUG_VALIDATION
145 BUG_ON(postsize > presize);
167 if (memcapcopy == 0 || size +
SC_ATOMIC_GET(st_memuse) <= memcapcopy)
179 if (size == 0 || (uint64_t)
SC_ATOMIC_GET(st_memuse) < size) {
200 if (stream != NULL) {
291 static void *StreamTcpSessionPoolAlloc(
void)
305 static int StreamTcpSessionPoolInit(
void *data,
void* initdata)
315 static void StreamTcpSessionPoolCleanup(
void *s)
339 static int RandomGetWrap(
void)
345 }
while(r >= ULONG_MAX - (ULONG_MAX % RAND_MAX));
359 uint16_t rdrange = 10;
368 if ((
ConfGetInt(
"stream.max-sessions", &value)) == 1) {
370 "Number of concurrent sessions is now only limited by Flow and "
371 "TCP stream engine memcaps.");
374 if ((
ConfGetInt(
"stream.prealloc-sessions", &value)) == 1) {
381 if (
ConfGetNode(
"stream.prealloc-sessions") != NULL) {
389 SCLogConfig(
"stream \"prealloc-sessions\": %"PRIu32
" (per thread)",
393 const char *temp_stream_memcap_str;
394 if (
ConfGet(
"stream.memcap", &temp_stream_memcap_str) == 1) {
395 uint64_t stream_memcap_copy;
398 "from conf file - %s. Killing engine",
399 temp_stream_memcap_str);
413 (void)
ConfGetBool(
"stream.midstream", &imidstream);
428 if ((
ConfGetBool(
"stream.checksum-validation", &csum)) == 1) {
440 "enabled" :
"disabled");
443 const char *temp_stream_inline_str;
444 if (
ConfGet(
"stream.inline", &temp_stream_inline_str) == 1) {
449 if (strcmp(temp_stream_inline_str,
"auto") == 0) {
453 }
else if (
ConfGetBool(
"stream.inline", &inl) == 1) {
469 SCLogWarning(
"stream.midstream_policy setting conflicting with stream.midstream enabled. "
470 "Ignoring stream.midstream_policy. Bug #5825.");
477 ?
"enabled" :
"disabled");
481 if ((
ConfGetBool(
"stream.bypass", &bypass)) == 1) {
490 ?
"enabled" :
"disabled");
493 int drop_invalid = 0;
494 if ((
ConfGetBool(
"stream.drop-invalid", &drop_invalid)) == 1) {
495 if (drop_invalid == 1) {
502 if ((
ConfGetInt(
"stream.max-synack-queued", &value)) == 1) {
503 if (value >= 0 && value <= 255) {
515 const char *temp_stream_reassembly_memcap_str;
516 if (
ConfGet(
"stream.reassembly.memcap", &temp_stream_reassembly_memcap_str) == 1) {
517 uint64_t stream_reassembly_memcap_copy;
519 &stream_reassembly_memcap_copy) < 0) {
521 "stream.reassembly.memcap "
522 "from conf file - %s. Killing engine",
523 temp_stream_reassembly_memcap_str);
533 SCLogConfig(
"stream.reassembly \"memcap\": %"PRIu64
"",
537 const char *temp_stream_reassembly_depth_str;
538 if (
ConfGet(
"stream.reassembly.depth", &temp_stream_reassembly_depth_str) == 1) {
542 "stream.reassembly.depth "
543 "from conf file - %s. Killing engine",
544 temp_stream_reassembly_depth_str);
556 if ((
ConfGetBool(
"stream.reassembly.randomize-chunk-size", &randomize)) == 0) {
564 const char *temp_rdrange;
565 if (
ConfGet(
"stream.reassembly.randomize-chunk-range", &temp_rdrange) == 1) {
568 "stream.reassembly.randomize-chunk-range "
569 "from conf file - %s. Killing engine",
572 }
else if (rdrange >= 100) {
573 FatalError(
"stream.reassembly.randomize-chunk-range "
574 "must be lower than 100");
579 const char *temp_stream_reassembly_toserver_chunk_size_str;
580 if (
ConfGet(
"stream.reassembly.toserver-chunk-size",
581 &temp_stream_reassembly_toserver_chunk_size_str) == 1) {
585 "stream.reassembly.toserver-chunk-size "
586 "from conf file - %s. Killing engine",
587 temp_stream_reassembly_toserver_chunk_size_str);
596 long int r = RandomGetWrap();
601 const char *temp_stream_reassembly_toclient_chunk_size_str;
602 if (
ConfGet(
"stream.reassembly.toclient-chunk-size",
603 &temp_stream_reassembly_toclient_chunk_size_str) == 1) {
607 "stream.reassembly.toclient-chunk-size "
608 "from conf file - %s. Killing engine",
609 temp_stream_reassembly_toclient_chunk_size_str);
618 long int r = RandomGetWrap();
624 SCLogConfig(
"stream.reassembly \"toserver-chunk-size\": %"PRIu16,
626 SCLogConfig(
"stream.reassembly \"toclient-chunk-size\": %"PRIu16,
631 if (
ConfGetBool(
"stream.reassembly.raw", &enable_raw) == 1) {
639 SCLogConfig(
"stream.reassembly.raw: %s", enable_raw ?
"enabled" :
"disabled");
659 StreamTcpSessionPoolAlloc,
660 StreamTcpSessionPoolInit, NULL,
661 StreamTcpSessionPoolCleanup, NULL);
680 SCLogDebug(
"ssn_pool_cnt %"PRIu64
"", ssn_pool_cnt);
718 if (
unlikely((g_eps_stream_ssn_memcap != UINT64_MAX &&
719 g_eps_stream_ssn_memcap ==
t_pcapcnt))) {
826 #define StreamTcpUpdateLastAck(ssn, stream, ack) { \
827 if (SEQ_GT((ack), (stream)->last_ack)) \
829 SCLogDebug("ssn %p: last_ack set to %"PRIu32", moved %u forward", (ssn), (ack), (ack) - (stream)->last_ack); \
830 if ((SEQ_LEQ((stream)->last_ack, (stream)->next_seq) && SEQ_GT((ack),(stream)->next_seq))) { \
831 SCLogDebug("last_ack just passed next_seq: %u (was %u) > %u", (ack), (stream)->last_ack, (stream)->next_seq); \
833 SCLogDebug("next_seq (%u) <> last_ack now %d", (stream)->next_seq, (int)(stream)->next_seq - (ack)); \
835 (stream)->last_ack = (ack); \
836 StreamTcpSackPruneList((stream)); \
838 SCLogDebug("ssn %p: no update: ack %u, last_ack %"PRIu32", next_seq %u (state %u)", \
839 (ssn), (ack), (stream)->last_ack, (stream)->next_seq, (ssn)->state); \
843 #define StreamTcpAsyncLastAckUpdate(ssn, stream) { \
844 if ((ssn)->flags & STREAMTCP_FLAG_ASYNC) { \
845 if (SEQ_GT((stream)->next_seq, (stream)->last_ack)) { \
846 uint32_t ack_diff = (stream)->next_seq - (stream)->last_ack; \
847 (stream)->last_ack += ack_diff; \
848 SCLogDebug("ssn %p: ASYNC last_ack set to %"PRIu32", moved %u forward", \
849 (ssn), (stream)->next_seq, ack_diff); \
854 #define StreamTcpUpdateNextSeq(ssn, stream, seq) { \
855 (stream)->next_seq = seq; \
856 SCLogDebug("ssn %p: next_seq %" PRIu32, (ssn), (stream)->next_seq); \
857 StreamTcpAsyncLastAckUpdate((ssn), (stream)); \
867 #define StreamTcpUpdateNextWin(ssn, stream, win) { \
868 uint32_t sacked_size__ = StreamTcpSackedSize((stream)); \
869 if (SEQ_GT(((win) + sacked_size__), (stream)->next_win)) { \
870 (stream)->next_win = ((win) + sacked_size__); \
871 SCLogDebug("ssn %p: next_win set to %"PRIu32, (ssn), (stream)->next_win); \
879 SCLogDebug(
"ssn %p: (state: %s) Reset received and state changed to "
883 static int StreamTcpPacketIsRetransmission(
TcpStream *stream,
Packet *p)
931 SCLogDebug(
"RST packet received, no session setup");
936 SCLogDebug(
"FIN packet received, no session setup");
945 SCLogDebug(
"Midstream not enabled, so won't pick up a session");
951 SCLogDebug(
"Midstream policy not permissive, so won't pick up a session");
974 SCLogDebug(
"ssn %p: =~ midstream picked ssn state is now "
975 "TCP_SYN_RECV", ssn);
1006 SCLogDebug(
"ssn %p: wscale enabled. client %u server %u",
1010 SCLogDebug(
"ssn %p: ssn->client.isn %"PRIu32
", ssn->client.next_seq"
1011 " %"PRIu32
", ssn->client.last_ack %"PRIu32
"", ssn,
1014 SCLogDebug(
"ssn %p: ssn->server.isn %"PRIu32
", ssn->server.next_seq"
1015 " %"PRIu32
", ssn->server.last_ack %"PRIu32
"", ssn,
1024 SCLogDebug(
"ssn %p: ssn->server.last_ts %" PRIu32
" "
1025 "ssn->client.last_ts %" PRIu32
"", ssn,
1043 SCLogDebug(
"ssn %p: SYN/ACK with SACK permitted, assuming "
1044 "SACK permitted for both sides", ssn);
1062 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_SYN_SENT", ssn);
1095 SCLogDebug(
"ssn %p: SACK permitted on SYN packet", ssn);
1102 SCLogDebug(
"ssn: %p (TFO) [len: %d] isn %u base_seq %u next_seq %u payload len %u",
1108 SCLogDebug(
"ssn %p: ssn->client.isn %" PRIu32
", "
1109 "ssn->client.next_seq %" PRIu32
", ssn->client.last_ack "
1118 SCLogDebug(
"Midstream not enabled, so won't pick up a session");
1124 SCLogDebug(
"Midstream policy not permissive, so won't pick up a session");
1141 SCLogDebug(
"ssn %p: =~ midstream picked ssn state is now "
1142 "TCP_ESTABLISHED", ssn);
1163 SCLogDebug(
"ssn %p: ssn->client.isn %u, ssn->client.next_seq %u",
1172 SCLogDebug(
"ssn %p: ssn->client.next_win %"PRIu32
", "
1173 "ssn->server.next_win %"PRIu32
"", ssn,
1175 SCLogDebug(
"ssn %p: ssn->client.last_ack %"PRIu32
", "
1176 "ssn->server.last_ack %"PRIu32
"", ssn,
1184 SCLogDebug(
"ssn %p: ssn->server.last_ts %" PRIu32
" "
1185 "ssn->client.last_ts %" PRIu32
"", ssn,
1204 SCLogDebug(
"ssn %p: assuming SACK permitted for both sides", ssn);
1247 StreamTcp3whsSynAckToStateQueue(p, &search);
1255 search.
ts == q->
ts) {
1268 if (StreamTcp3whsFindSynAckBySynAck(ssn, p) != NULL)
1272 SCLogDebug(
"ssn %p: =~ SYN/ACK queue limit reached", ssn);
1278 SCLogDebug(
"ssn %p: =~ SYN/ACK queue failed: stream memcap reached", ssn);
1284 SCLogDebug(
"ssn %p: =~ SYN/ACK queue failed: alloc failed", ssn);
1287 memset(q, 0x00,
sizeof(*q));
1290 StreamTcp3whsSynAckToStateQueue(p, q);
1338 StreamTcp3whsSynAckToStateQueue(p, &update);
1345 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_SYN_RECV", ssn);
1361 SCLogDebug(
"ssn %p: ssn->server.last_ts %" PRIu32
" "
1362 "ssn->client.last_ts %" PRIu32
"", ssn,
1390 SCLogDebug(
"ssn %p: SACK permitted for session", ssn);
1397 SCLogDebug(
"ssn %p: ssn->server.next_win %" PRIu32
"", ssn,
1399 SCLogDebug(
"ssn %p: ssn->client.next_win %" PRIu32
"", ssn,
1401 SCLogDebug(
"ssn %p: ssn->server.isn %" PRIu32
", "
1402 "ssn->server.next_seq %" PRIu32
", "
1403 "ssn->server.last_ack %" PRIu32
" "
1404 "(ssn->client.last_ack %" PRIu32
")", ssn,
1411 SCLogDebug(
"ssn %p: STREAMTCP_FLAG_4WHS unset, normal SYN/ACK"
1412 " so considering 3WHS", ssn);
1423 static inline bool StateSynSentValidateTimestamp(
TcpSession *ssn,
Packet *p)
1433 if (receiver_stream->
last_ts != 0 && ts_echo != 0 &&
1434 ts_echo != receiver_stream->
last_ts)
1436 SCLogDebug(
"ssn %p: BAD TSECR echo %u recv %u", ssn,
1437 ts_echo, receiver_stream->
last_ts);
1441 if (receiver_stream->
last_ts == 0 && ts_echo != 0) {
1442 SCLogDebug(
"ssn %p: BAD TSECR echo %u recv %u", ssn,
1443 ts_echo, receiver_stream->
last_ts);
1468 "toclient":
"toserver");
1471 if (StateSynSentValidateTimestamp(ssn, p) ==
false)
1476 if (!StreamTcpValidateRst(ssn, p))
1484 SCLogDebug(
"ssn->server.flags |= STREAMTCP_STREAM_FLAG_RST_RECV");
1486 StreamTcpCloseSsnWithReset(p, ssn);
1490 SCLogDebug(
"ssn->client.flags |= STREAMTCP_STREAM_FLAG_RST_RECV");
1491 StreamTcpCloseSsnWithReset(p, ssn);
1501 SCLogDebug(
"ssn %p: SYN/ACK received on 4WHS session", ssn);
1508 SCLogDebug(
"ssn %p: 4WHS ACK mismatch, packet ACK %"PRIu32
""
1509 " != %" PRIu32
" from stream", ssn,
1519 SCLogDebug(
"ssn %p: 4WHS SEQ mismatch, packet SEQ %"PRIu32
""
1520 " != %" PRIu32
" from *first* SYN pkt", ssn,
1528 SCLogDebug(
"ssn %p: =~ 4WHS ssn state is now TCP_SYN_RECV", ssn);
1536 SCLogDebug(
"ssn %p: 4WHS window %" PRIu32
"", ssn,
1545 SCLogDebug(
"ssn %p: 4WHS ssn->client.last_ts %" PRIu32
" "
1546 "ssn->server.last_ts %" PRIu32
"", ssn,
1574 SCLogDebug(
"ssn %p: SACK permitted for 4WHS session", ssn);
1579 SCLogDebug(
"ssn %p: 4WHS ssn->client.next_win %" PRIu32
"", ssn,
1581 SCLogDebug(
"ssn %p: 4WHS ssn->server.next_win %" PRIu32
"", ssn,
1583 SCLogDebug(
"ssn %p: 4WHS ssn->client.isn %" PRIu32
", "
1584 "ssn->client.next_seq %" PRIu32
", "
1585 "ssn->client.last_ack %" PRIu32
" "
1586 "(ssn->server.last_ack %" PRIu32
")", ssn,
1596 SCLogDebug(
"ssn %p: SYN/ACK received in the wrong direction", ssn);
1605 SCLogDebug(
"ssn %p: ACK mismatch, packet ACK %" PRIu32
" != "
1613 SCLogDebug(
"ssn %p: (TFO) ACK mismatch, packet ACK %" PRIu32
" != "
1618 SCLogDebug(
"ssn %p: (TFO) ACK match, packet ACK %" PRIu32
" == "
1625 StreamTcp3whsSynAckUpdate(ssn, p, NULL);
1628 SCLogDebug(
"ssn %p: SYN packet on state SYN_SENT... resent", ssn);
1630 SCLogDebug(
"ssn %p: SYN packet on state SYN_SENT... resent of "
1643 SCLogDebug(
"ssn %p: STREAMTCP_FLAG_4WHS flag set", ssn);
1680 SCLogDebug(
"ssn %p: 4WHS ssn->server.isn %" PRIu32
", "
1681 "ssn->server.next_seq %" PRIu32
", "
1682 "ssn->server.last_ack %"PRIu32
"", ssn,
1685 SCLogDebug(
"ssn %p: 4WHS ssn->client.isn %" PRIu32
", "
1686 "ssn->client.next_seq %" PRIu32
", "
1687 "ssn->client.last_ack %"PRIu32
"", ssn,
1705 SCLogDebug(
"ssn %p: Retransmitted SYN. Updated timestamp from packet %" PRIu64, ssn,
1726 SCLogDebug(
"ssn %p: SEQ mismatch, packet SEQ %" PRIu32
" != "
1734 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
1747 SCLogDebug(
"ssn %p: synsent => Asynchronous stream, packet SEQ"
1748 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
1749 "ssn->client.next_seq %" PRIu32
""
1807 if (!StreamTcpValidateRst(ssn, p))
1824 SCLogDebug(
"Detection evasion has been attempted, so"
1825 " not resetting the connection !!");
1833 SCLogDebug(
"Detection evasion has been attempted, so"
1834 " not resetting the connection !!");
1840 StreamTcpCloseSsnWithReset(p, ssn);
1843 StreamTcpHandleTimestamp(ssn, p);
1850 if (!StreamTcpValidateTimestamp(ssn, p))
1854 if ((StreamTcpHandleFin(
tv, stt, ssn, p, pq)) == -1)
1859 SCLogDebug(
"ssn %p: SYN/ACK packet on state SYN_RECV. resent", ssn);
1862 SCLogDebug(
"ssn %p: SYN/ACK-pkt to server in SYN_RECV state", ssn);
1871 SCLogDebug(
"ssn %p: ACK mismatch, packet ACK %" PRIu32
" != "
1882 SCLogDebug(
"ssn %p: SEQ mismatch, packet SEQ %" PRIu32
" != "
1886 if (StreamTcp3whsQueueSynAck(ssn, p) == -1)
1888 SCLogDebug(
"ssn %p: queued different SYN/ACK", ssn);
1892 SCLogDebug(
"ssn %p: SYN packet on state SYN_RECV... resent", ssn);
1895 SCLogDebug(
"ssn %p: SYN-pkt to client in SYN_RECV state", ssn);
1902 SCLogDebug(
"ssn %p: SYN with different SEQ on SYN_RECV state", ssn);
1910 SCLogDebug(
"ssn %p: checking ACK against queued SYN/ACKs", ssn);
1913 SCLogDebug(
"ssn %p: here we update state against queued SYN/ACK", ssn);
1914 StreamTcp3whsSynAckUpdate(ssn, p, q);
1916 SCLogDebug(
"ssn %p: none found, now checking ACK against original SYN/ACK (state)", ssn);
1926 if (!(StreamTcpValidateTimestamp(ssn, p))) {
1932 SCLogDebug(
"ssn %p: ACK received on 4WHS session",ssn);
1935 SCLogDebug(
"ssn %p: 4WHS wrong seq nr on packet", ssn);
1940 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
1941 SCLogDebug(
"ssn %p: 4WHS invalid ack nr on packet", ssn);
1947 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
1948 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
1952 StreamTcpHandleTimestamp(ssn, p);
1961 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
1966 SCLogDebug(
"ssn %p: ssn->client.next_win %" PRIu32
", "
1967 "ssn->client.last_ack %"PRIu32
"", ssn,
1972 bool ack_indicates_missed_3whs_ack_packet =
false;
1982 SCLogDebug(
"ssn %p: ACK received on midstream SYN/ACK "
1983 "pickup session",ssn);
1986 SCLogDebug(
"ssn %p: ACK received on TFO session",ssn);
2004 SCLogDebug(
"ssn %p: possible data injection", ssn);
2009 SCLogDebug(
"ssn %p: ACK received in the wrong direction",
2014 ack_indicates_missed_3whs_ack_packet =
true;
2018 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ %" PRIu32
""
2031 StreamTcpHandleTimestamp(ssn, p);
2055 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2075 StreamTcpHandleTimestamp(ssn, p);
2088 SCLogDebug(
"ssn %p: synrecv => Asynchronous stream, packet SEQ"
2089 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2090 "ssn->server.next_seq %" PRIu32
2095 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2105 SCLogDebug(
"ssn %p: wrong ack nr on packet, possible evasion!!",
2115 SCLogDebug(
"ssn %p: ACK for missing data", ssn);
2118 StreamTcpHandleTimestamp(ssn, p);
2124 SCLogDebug(
"ssn %p: ACK for missing data: ssn->server.next_seq %u", ssn,
2134 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2143 SCLogDebug(
"ssn %p: ACK for missing data", ssn);
2146 StreamTcpHandleTimestamp(ssn, p);
2169 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2175 }
else if ((ack_indicates_missed_3whs_ack_packet ||
2179 if (ack_indicates_missed_3whs_ack_packet) {
2180 SCLogDebug(
"ssn %p: packet fits perfectly after a missed 3whs-ACK", ssn);
2182 SCLogDebug(
"ssn %p: (TFO) expected packet fits perfectly after SYN/ACK", ssn);
2191 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2197 SCLogDebug(
"ssn %p: wrong seq nr on packet", ssn);
2203 SCLogDebug(
"ssn %p: ssn->server.next_win %" PRIu32
", "
2204 "ssn->server.last_ack %"PRIu32
"", ssn,
2229 SCLogDebug(
"ssn %p: =+ pkt (%" PRIu32
") is to server: SEQ %" PRIu32
","
2230 "ACK %" PRIu32
", WIN %"PRIu16
"", ssn, p->
payload_len,
2233 if (StreamTcpValidateAck(ssn, &(ssn->
server), p) == -1) {
2234 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
2242 SCLogDebug(
"ssn %p: pkt is keep alive", ssn);
2247 SCLogDebug(
"ssn %p: server => Asynchrouns stream, packet SEQ"
2248 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"),"
2249 " ssn->client.last_ack %" PRIu32
", ssn->client.next_win"
2262 SCLogDebug(
"ssn %p: server => Asynchronous stream, packet SEQ."
2263 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2264 "ssn->client.last_ack %" PRIu32
", ssn->client.next_win "
2279 SCLogDebug(
"ssn %p: server => Asynchronous stream, packet SEQ"
2280 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2281 "ssn->client.last_ack %" PRIu32
", ssn->client.next_win "
2299 SCLogDebug(
"ssn %p: PKT SEQ %"PRIu32
" payload_len %"PRIu16
2300 " before last_ack %"PRIu32
", after next_seq %"PRIu32
":"
2301 " acked data that we haven't seen before",
2307 SCLogDebug(
"ssn %p: server => SEQ before last_ack, packet SEQ"
2308 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2309 "ssn->client.last_ack %" PRIu32
", ssn->client.next_win "
2315 SCLogDebug(
"ssn %p: rejecting because pkt before last_ack", ssn);
2321 int zerowindowprobe = 0;
2324 SCLogDebug(
"ssn %p: zero window probe", ssn);
2325 zerowindowprobe = 1;
2336 SCLogDebug(
"ssn %p: ssn->client.next_seq %"PRIu32
2337 " (started before next_seq, ended after)",
2343 SCLogDebug(
"ssn %p: ssn->client.next_seq %"PRIu32
2344 " (next_seq had fallen behind last_ack)",
2348 SCLogDebug(
"ssn %p: no update to ssn->client.next_seq %"PRIu32
2349 " SEQ %u SEQ+ %u last_ack %u",
2355 if (zerowindowprobe) {
2356 SCLogDebug(
"ssn %p: zero window probe, skipping oow check", ssn);
2360 SCLogDebug(
"ssn %p: seq %"PRIu32
" in window, ssn->client.next_win "
2364 SCLogDebug(
"ssn %p: ssn->server.window %"PRIu32
"", ssn,
2373 StreamTcpHandleTimestamp(ssn, p);
2385 SCLogDebug(
"ssn %p: toserver => SEQ out of window, packet SEQ "
2386 "%" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"),"
2387 "ssn->client.last_ack %" PRIu32
", ssn->client.next_win "
2393 StreamTcpSackedSize(&ssn->
client));
2416 SCLogDebug(
"ssn %p: =+ pkt (%" PRIu32
") is to client: SEQ %" PRIu32
","
2417 " ACK %" PRIu32
", WIN %"PRIu16
"", ssn, p->
payload_len,
2420 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
2421 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
2434 SCLogDebug(
"ssn %p: adjusted midstream ssn->server.next_win to "
2441 SCLogDebug(
"ssn %p: pkt is keep alive", ssn);
2447 SCLogDebug(
"ssn %p: client => Asynchrouns stream, packet SEQ"
2448 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"),"
2449 " ssn->client.last_ack %" PRIu32
", ssn->client.next_win"
2463 SCLogDebug(
"ssn %p: PKT SEQ %"PRIu32
" payload_len %"PRIu16
2464 " before last_ack %"PRIu32
", after next_seq %"PRIu32
":"
2465 " acked data that we haven't seen before",
2471 SCLogDebug(
"ssn %p: PKT SEQ %"PRIu32
" payload_len %"PRIu16
2472 " before last_ack %"PRIu32
". next_seq %"PRIu32,
2479 int zerowindowprobe = 0;
2482 SCLogDebug(
"ssn %p: zero window probe", ssn);
2483 zerowindowprobe = 1;
2494 SCLogDebug(
"ssn %p: ssn->server.next_seq %" PRIu32
2495 " (started before next_seq, ended after)",
2501 SCLogDebug(
"ssn %p: ssn->server.next_seq %"PRIu32
2502 " (next_seq had fallen behind last_ack)",
2505 SCLogDebug(
"ssn %p: no update to ssn->server.next_seq %"PRIu32
2506 " SEQ %u SEQ+ %u last_ack %u",
2511 if (zerowindowprobe) {
2512 SCLogDebug(
"ssn %p: zero window probe, skipping oow check", ssn);
2516 SCLogDebug(
"ssn %p: seq %"PRIu32
" in window, ssn->server.next_win "
2519 SCLogDebug(
"ssn %p: ssn->client.window %"PRIu32
"", ssn,
2526 StreamTcpHandleTimestamp(ssn, p);
2535 SCLogDebug(
"ssn %p: client => SEQ out of window, packet SEQ"
2536 "%" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"),"
2537 " ssn->server.last_ack %" PRIu32
", ssn->server.next_win "
2560 static inline uint32_t StreamTcpResetGetMaxAck(
TcpStream *stream, uint32_t
seq)
2566 if (
SEQ_GT(tail_seq, ack)) {
2638 static bool StreamTcpPacketIsSpuriousRetransmission(
TcpSession *ssn,
Packet *p)
2650 SCLogDebug(
"ssn %p: spurious retransmission; packet entirely before last_ack: SEQ %u(%u) "
2655 SCLogDebug(
"ssn %p: NOT spurious retransmission; packet NOT entirely before last_ack: SEQ "
2656 "%u(%u) last_ack %u, le %u",
2679 if (!StreamTcpValidateRst(ssn, p))
2683 StreamTcpCloseSsnWithReset(p, ssn);
2687 SCLogDebug(
"ssn %p: ssn->server.next_seq %" PRIu32
"", ssn,
2691 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
server, p) == 0)
2699 StreamTcpHandleTimestamp(ssn, p);
2704 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
2712 StreamTcpCloseSsnWithReset(p, ssn);
2717 SCLogDebug(
"ssn %p: ssn->server.next_seq %" PRIu32
"", ssn,
2721 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
client, p) == 0)
2729 StreamTcpHandleTimestamp(ssn, p);
2734 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
2745 if (!StreamTcpValidateTimestamp(ssn, p))
2750 " %" PRIu32
", last ACK %" PRIu32
", next win %"PRIu32
","
2755 if ((StreamTcpHandleFin(
tv, stt, ssn, p, pq)) == -1)
2760 SCLogDebug(
"ssn %p: SYN/ACK packet on state ESTABLISHED... resent",
2764 SCLogDebug(
"ssn %p: SYN/ACK-pkt to server in ESTABLISHED state", ssn);
2773 SCLogDebug(
"ssn %p: ACK mismatch, packet ACK %" PRIu32
" != "
2784 SCLogDebug(
"ssn %p: SEQ mismatch, packet SEQ %" PRIu32
" != "
2798 SCLogDebug(
"ssn %p: SYN/ACK packet on state ESTABLISHED... resent. "
2799 "Likely due server not receiving final ACK in 3whs", ssn);
2803 SCLogDebug(
"ssn %p: SYN packet on state ESTABLISHED... resent", ssn);
2805 SCLogDebug(
"ssn %p: SYN-pkt to client in EST state", ssn);
2812 SCLogDebug(
"ssn %p: SYN with different SEQ on SYN_RECV state", ssn);
2833 if (!StreamTcpValidateTimestamp(ssn, p))
2839 HandleEstablishedPacketToServer(
tv, ssn, p, stt, pq);
2841 SCLogDebug(
"ssn %p: next SEQ %" PRIu32
", last ACK %" PRIu32
","
2842 " next win %" PRIu32
", win %" PRIu32
"", ssn,
2849 SCLogDebug(
"3whs is now confirmed by server");
2853 HandleEstablishedPacketToClient(
tv, ssn, p, stt, pq);
2855 SCLogDebug(
"ssn %p: next SEQ %" PRIu32
", last ACK %" PRIu32
","
2856 " next win %" PRIu32
", win %" PRIu32
"", ssn,
2883 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ %" PRIu32
","
2887 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
2888 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
2896 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
" != "
2910 SCLogDebug(
"ssn %p: state changed to TCP_CLOSE_WAIT", ssn);
2915 SCLogDebug(
"ssn %p: ssn->client.next_seq %" PRIu32
"", ssn,
2923 StreamTcpHandleTimestamp(ssn, p);
2933 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK %" PRIu32
"",
2936 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ %" PRIu32
", "
2940 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
2941 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
2949 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
" != "
2950 "%" PRIu32
" from stream (last_ack %u win %u = %u)", ssn,
TCP_GET_SEQ(p),
2958 SCLogDebug(
"ssn %p: state changed to TCP_FIN_WAIT1", ssn);
2963 SCLogDebug(
"ssn %p: ssn->server.next_seq %" PRIu32
"", ssn,
2971 StreamTcpHandleTimestamp(ssn, p);
2981 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK %" PRIu32
"",
3008 if (!StreamTcpValidateRst(ssn, p))
3011 StreamTcpCloseSsnWithReset(p, ssn);
3014 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
server, p) == 0)
3022 StreamTcpHandleTimestamp(ssn, p);
3028 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
client, p) == 0)
3036 StreamTcpHandleTimestamp(ssn, p);
3045 if (!StreamTcpValidateTimestamp(ssn, p))
3050 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3051 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3053 int retransmission = 0;
3055 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
3056 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3062 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3063 " != %" PRIu32
" from stream", ssn,
3069 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3070 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3075 if (!retransmission) {
3077 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
3085 StreamTcpHandleTimestamp(ssn, p);
3100 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3104 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
3105 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3107 int retransmission = 0;
3109 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
3110 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3114 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3119 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3120 " != %" PRIu32
" from stream", ssn,
3126 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3127 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3132 if (!retransmission) {
3134 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
3142 StreamTcpHandleTimestamp(ssn, p);
3157 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3164 if (!StreamTcpValidateTimestamp(ssn, p))
3169 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3170 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3172 int retransmission = 0;
3174 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
3175 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3181 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3182 " != %" PRIu32
" from stream", ssn,
3188 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3189 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3194 if (!retransmission) {
3196 SCLogDebug(
"ssn %p: state changed to TCP_CLOSING", ssn);
3205 StreamTcpHandleTimestamp(ssn, p);
3220 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3224 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
3225 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3228 int retransmission = 0;
3230 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
3231 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3237 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3238 " != %" PRIu32
" from stream", ssn,
3244 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3245 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3250 if (!retransmission) {
3252 SCLogDebug(
"ssn %p: state changed to TCP_CLOSING", ssn);
3261 StreamTcpHandleTimestamp(ssn, p);
3276 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3281 SCLogDebug(
"ssn (%p): SYN pkt on FinWait1", ssn);
3287 if (!StreamTcpValidateTimestamp(ssn, p))
3292 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3293 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3295 int retransmission = 0;
3297 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
3298 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3302 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3303 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3308 if (!retransmission) {
3312 SCLogDebug(
"ssn %p: seq %"PRIu32
" in window, ssn->client.next_win "
3317 SCLogDebug(
"ssn %p: state changed to TCP_FIN_WAIT2", ssn);
3320 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3321 " != %" PRIu32
" from stream", ssn,
3334 StreamTcpHandleTimestamp(ssn, p);
3354 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3360 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
3361 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3364 int retransmission = 0;
3366 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
3367 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3371 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3372 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3377 if (!retransmission) {
3381 SCLogDebug(
"ssn %p: seq %"PRIu32
" in window, ssn->server.next_win "
3386 SCLogDebug(
"ssn %p: state changed to TCP_FIN_WAIT2", ssn);
3389 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3390 " != %" PRIu32
" from stream", ssn,
3402 StreamTcpHandleTimestamp(ssn, p);
3422 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3450 if (!StreamTcpValidateRst(ssn, p))
3453 StreamTcpCloseSsnWithReset(p, ssn);
3456 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
server, p) == 0)
3464 StreamTcpHandleTimestamp(ssn, p);
3470 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
client, p) == 0)
3478 StreamTcpHandleTimestamp(ssn, p);
3487 if (!StreamTcpValidateTimestamp(ssn, p))
3492 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3493 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3495 int retransmission = 0;
3501 }
else if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
3502 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3508 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ "
3509 "%" PRIu32
" != %" PRIu32
" from stream", ssn,
3515 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3516 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3521 if (!retransmission) {
3523 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
3536 StreamTcpHandleTimestamp(ssn, p);
3547 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3551 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
3552 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3554 int retransmission = 0;
3560 }
else if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
3561 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3567 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ "
3568 "%" PRIu32
" != %" PRIu32
" from stream", ssn,
3574 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3575 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3580 if (!retransmission) {
3582 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
3591 StreamTcpHandleTimestamp(ssn, p);
3601 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3607 SCLogDebug(
"ssn (%p): SYN pkt on FinWait2", ssn);
3613 if (!StreamTcpValidateTimestamp(ssn, p))
3618 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3619 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3621 int retransmission = 0;
3623 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
3624 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3628 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3629 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3634 if (!retransmission) {
3638 SCLogDebug(
"ssn %p: seq %"PRIu32
" in window, ssn->client.next_win "
3642 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3643 " != %" PRIu32
" from stream", ssn,
3655 StreamTcpHandleTimestamp(ssn, p);
3670 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3674 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
3675 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3677 int retransmission = 0;
3679 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
3680 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3684 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3685 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3690 if (!retransmission) {
3694 SCLogDebug(
"ssn %p: seq %"PRIu32
" in window, ssn->server.next_win "
3697 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3698 " != %" PRIu32
" from stream", ssn,
3710 StreamTcpHandleTimestamp(ssn, p);
3725 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3753 if (!StreamTcpValidateRst(ssn, p))
3756 StreamTcpCloseSsnWithReset(p, ssn);
3759 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
server, p) == 0)
3767 StreamTcpHandleTimestamp(ssn, p);
3773 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
client, p) == 0)
3781 StreamTcpHandleTimestamp(ssn, p);
3789 SCLogDebug(
"ssn (%p): SYN pkt on Closing", ssn);
3795 if (!StreamTcpValidateTimestamp(ssn, p))
3800 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3801 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3803 int retransmission = 0;
3804 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
3805 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3810 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3811 " != %" PRIu32
" from stream", ssn,
3817 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3818 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3823 if (!retransmission) {
3825 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
3833 StreamTcpHandleTimestamp(ssn, p);
3842 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3846 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
3847 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3849 int retransmission = 0;
3850 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
3851 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3856 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3857 " != %" PRIu32
" from stream", ssn,
3863 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3864 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3869 if (!retransmission) {
3871 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
3879 StreamTcpHandleTimestamp(ssn, p);
3889 SCLogDebug(
"StreamTcpPacketStateClosing (%p): =+ next SEQ "
3890 "%" PRIu32
", last ACK %" PRIu32
"", ssn,
3920 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
3921 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3924 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3925 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3930 if (!StreamTcpValidateRst(ssn, p))
3933 StreamTcpCloseSsnWithReset(p, ssn);
3936 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
server, p) == 0)
3944 StreamTcpHandleTimestamp(ssn, p);
3950 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
client, p) == 0)
3958 StreamTcpHandleTimestamp(ssn, p);
3967 if (!StreamTcpValidateTimestamp(ssn, p))
3972 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3973 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
3976 int retransmission = 0;
3977 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
3978 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3982 if (!retransmission) {
3986 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3987 " != %" PRIu32
" from stream", ssn,
3994 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3995 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4002 if (!retransmission)
4009 StreamTcpHandleTimestamp(ssn, p);
4019 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4023 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4024 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
4027 int retransmission = 0;
4028 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4029 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4033 if (!retransmission) {
4037 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4038 " != %" PRIu32
" from stream", ssn,
4045 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
4046 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4051 if (!retransmission) {
4053 SCLogDebug(
"ssn %p: state changed to TCP_LAST_ACK", ssn);
4062 StreamTcpHandleTimestamp(ssn, p);
4072 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4078 SCLogDebug(
"ssn (%p): SYN pkt on CloseWait", ssn);
4084 if (!StreamTcpValidateTimestamp(ssn, p))
4089 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4090 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
4093 int retransmission = 0;
4094 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4095 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4100 SCLogDebug(
"ssn %p: -> retransmission", ssn);
4106 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4107 " != %" PRIu32
" from stream", ssn,
4113 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4114 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4119 if (!retransmission) {
4126 StreamTcpHandleTimestamp(ssn, p);
4139 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4143 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4144 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
4146 int retransmission = 0;
4147 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4148 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4153 SCLogDebug(
"ssn %p: -> retransmission", ssn);
4159 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4160 " != %" PRIu32
" from stream", ssn,
4166 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
4167 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4172 if (!retransmission) {
4179 StreamTcpHandleTimestamp(ssn, p);
4192 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4220 if (!StreamTcpValidateRst(ssn, p))
4223 StreamTcpCloseSsnWithReset(p, ssn);
4226 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
server, p) == 0)
4234 StreamTcpHandleTimestamp(ssn, p);
4240 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
client, p) == 0)
4248 StreamTcpHandleTimestamp(ssn, p);
4257 SCLogDebug(
"ssn (%p): FIN pkt on LastAck", ssn);
4260 SCLogDebug(
"ssn (%p): SYN pkt on LastAck", ssn);
4266 if (!StreamTcpValidateTimestamp(ssn, p))
4271 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4272 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
4275 int retransmission = 0;
4276 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4277 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4281 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4282 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4287 if (!retransmission) {
4289 SCLogDebug(
"ssn %p: not updating state as packet is before next_seq", ssn);
4291 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4292 " != %" PRIu32
" from stream", ssn,
4298 SCLogDebug(
"ssn %p: state changed to TCP_CLOSED", ssn);
4307 StreamTcpHandleTimestamp(ssn, p);
4317 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4345 if (!StreamTcpValidateRst(ssn, p))
4348 StreamTcpCloseSsnWithReset(p, ssn);
4351 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
server, p) == 0)
4359 StreamTcpHandleTimestamp(ssn, p);
4365 if ((p->
tcph->th_flags &
TH_ACK) && StreamTcpValidateAck(ssn, &ssn->
client, p) == 0)
4373 StreamTcpHandleTimestamp(ssn, p);
4384 SCLogDebug(
"ssn (%p): SYN pkt on TimeWait", ssn);
4390 if (!StreamTcpValidateTimestamp(ssn, p))
4395 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4396 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
4398 int retransmission = 0;
4399 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4400 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4404 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4405 " != %" PRIu32
" from stream", ssn,
4411 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4412 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4417 if (!retransmission) {
4419 SCLogDebug(
"ssn %p: state changed to TCP_CLOSED", ssn);
4427 StreamTcpHandleTimestamp(ssn, p);
4437 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4441 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4442 "%" PRIu32
", ACK %" PRIu32
"", ssn, p->
payload_len,
4444 int retransmission = 0;
4445 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4446 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4450 SCLogDebug(
"ssn %p: -> retransmission", ssn);
4453 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4454 " != %" PRIu32
" from stream", ssn,
4461 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
4462 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4467 if (!retransmission) {
4469 SCLogDebug(
"ssn %p: state changed to TCP_CLOSED", ssn);
4477 StreamTcpHandleTimestamp(ssn, p);
4487 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4510 TcpStream *stream = NULL, *ostream = NULL;