85 #define STREAMTCP_DEFAULT_PREALLOC 2048
86 #define STREAMTCP_DEFAULT_MEMCAP (64 * 1024 * 1024)
87 #define STREAMTCP_DEFAULT_REASSEMBLY_MEMCAP (256 * 1024 * 1024)
88 #define STREAMTCP_DEFAULT_TOSERVER_CHUNK_SIZE 2560
89 #define STREAMTCP_DEFAULT_TOCLIENT_CHUNK_SIZE 2560
90 #define STREAMTCP_DEFAULT_MAX_SYN_QUEUED 10
91 #define STREAMTCP_DEFAULT_MAX_SYNACK_QUEUED 5
106 .valid_settings_ips = {
132 .valid_settings_ips = {
158 .valid_settings_ips = {
184 .valid_settings_ips = {
207 static int StreamTcpStateDispatch(
216 static uint64_t ssn_pool_cnt = 0;
236 #if defined(DEBUG_VALIDATION) && defined(UNITTESTS)
239 BUG_ON(presize > UINT_MAX);
245 #if defined(DEBUG_VALIDATION) && defined(UNITTESTS)
248 BUG_ON(postsize > presize);
269 if (memcapcopy == 0 || size +
SC_ATOMIC_GET(st_memuse) <= memcapcopy)
281 if (size == 0 || (uint64_t)
SC_ATOMIC_GET(st_memuse) < size) {
302 if (stream != NULL) {
309 static void StreamTcp3wsFreeQueue(
TcpSession *ssn)
336 StreamTcp3wsFreeQueue(ssn);
397 static void *StreamTcpSessionPoolAlloc(
void)
411 static int StreamTcpSessionPoolInit(
void *data,
void* initdata)
421 static void StreamTcpSessionPoolCleanup(
void *s)
435 static inline bool StreamTcpInlineDropInvalid(
void)
444 static int RandomGetWrap(
void)
450 }
while(r >= ULONG_MAX - (ULONG_MAX % RAND_MAX));
464 uint16_t rdrange = 10;
473 if ((
ConfGetInt(
"stream.max-sessions", &value)) == 1) {
475 "Number of concurrent sessions is now only limited by Flow and "
476 "TCP stream engine memcaps.");
479 if ((
ConfGetInt(
"stream.prealloc-sessions", &value)) == 1) {
486 if (
ConfGetNode(
"stream.prealloc-sessions") != NULL) {
494 SCLogConfig(
"stream \"prealloc-sessions\": %"PRIu32
" (per thread)",
498 const char *temp_stream_memcap_str;
499 if (
ConfGet(
"stream.memcap", &temp_stream_memcap_str) == 1) {
500 uint64_t stream_memcap_copy;
503 "from conf file - %s. Killing engine",
504 temp_stream_memcap_str);
518 (void)
ConfGetBool(
"stream.midstream", &imidstream);
526 (void)
ConfGetBool(
"stream.async-oneside", &async_oneside);
535 if ((
ConfGetBool(
"stream.checksum-validation", &csum)) == 1) {
547 "enabled" :
"disabled");
550 const char *temp_stream_inline_str;
551 if (
ConfGet(
"stream.inline", &temp_stream_inline_str) == 1) {
556 if (strcmp(temp_stream_inline_str,
"auto") == 0) {
560 }
else if (
ConfGetBool(
"stream.inline", &inl) == 1) {
579 ?
"enabled" :
"disabled");
583 if ((
ConfGetBool(
"stream.bypass", &bypass)) == 1) {
592 ?
"enabled" :
"disabled");
595 int drop_invalid = 0;
596 if ((
ConfGetBool(
"stream.drop-invalid", &drop_invalid)) == 1) {
597 if (drop_invalid == 1) {
604 if ((
ConfGetInt(
"stream.max-syn-queued", &value)) == 1) {
605 if (value >= 0 && value <= 255) {
617 if ((
ConfGetInt(
"stream.max-synack-queued", &value)) == 1) {
618 if (value >= 0 && value <= 255) {
630 const char *temp_stream_reassembly_memcap_str;
631 if (
ConfGet(
"stream.reassembly.memcap", &temp_stream_reassembly_memcap_str) == 1) {
632 uint64_t stream_reassembly_memcap_copy;
634 &stream_reassembly_memcap_copy) < 0) {
636 "stream.reassembly.memcap "
637 "from conf file - %s. Killing engine",
638 temp_stream_reassembly_memcap_str);
648 SCLogConfig(
"stream.reassembly \"memcap\": %"PRIu64
"",
652 const char *temp_stream_reassembly_depth_str;
653 if (
ConfGet(
"stream.reassembly.depth", &temp_stream_reassembly_depth_str) == 1) {
657 "stream.reassembly.depth "
658 "from conf file - %s. Killing engine",
659 temp_stream_reassembly_depth_str);
671 if ((
ConfGetBool(
"stream.reassembly.randomize-chunk-size", &randomize)) == 0) {
679 const char *temp_rdrange;
680 if (
ConfGet(
"stream.reassembly.randomize-chunk-range", &temp_rdrange) == 1) {
683 "stream.reassembly.randomize-chunk-range "
684 "from conf file - %s. Killing engine",
687 }
else if (rdrange >= 100) {
688 FatalError(
"stream.reassembly.randomize-chunk-range "
689 "must be lower than 100");
694 const char *temp_stream_reassembly_toserver_chunk_size_str;
695 if (
ConfGet(
"stream.reassembly.toserver-chunk-size",
696 &temp_stream_reassembly_toserver_chunk_size_str) == 1) {
700 "stream.reassembly.toserver-chunk-size "
701 "from conf file - %s. Killing engine",
702 temp_stream_reassembly_toserver_chunk_size_str);
711 long int r = RandomGetWrap();
716 const char *temp_stream_reassembly_toclient_chunk_size_str;
717 if (
ConfGet(
"stream.reassembly.toclient-chunk-size",
718 &temp_stream_reassembly_toclient_chunk_size_str) == 1) {
722 "stream.reassembly.toclient-chunk-size "
723 "from conf file - %s. Killing engine",
724 temp_stream_reassembly_toclient_chunk_size_str);
733 long int r = RandomGetWrap();
739 SCLogConfig(
"stream.reassembly \"toserver-chunk-size\": %"PRIu16,
741 SCLogConfig(
"stream.reassembly \"toclient-chunk-size\": %"PRIu16,
746 if (
ConfGetBool(
"stream.reassembly.raw", &enable_raw) == 1) {
754 SCLogConfig(
"stream.reassembly.raw: %s", enable_raw ?
"enabled" :
"disabled");
758 int liberal_timestamps = 0;
759 if (
ConfGetBool(
"stream.liberal-timestamps", &liberal_timestamps) == 1) {
763 SCLogConfig(
"stream.liberal-timestamps: %s", liberal_timestamps ?
"enabled" :
"disabled");
783 StreamTcpSessionPoolAlloc,
784 StreamTcpSessionPoolInit, NULL,
785 StreamTcpSessionPoolCleanup, NULL);
804 SCLogDebug(
"ssn_pool_cnt %"PRIu64
"", ssn_pool_cnt);
807 static bool IsReassemblyMemcapExceptionPolicyStatsValid(
enum ExceptionPolicy exception_policy)
815 static bool IsStreamTcpSessionMemcapExceptionPolicyStatsValid(
enum ExceptionPolicy policy)
823 static void StreamTcpSsnMemcapExceptionPolicyStatsIncr(
867 if (
unlikely((g_eps_stream_ssn_memcap != UINT64_MAX &&
868 g_eps_stream_ssn_memcap ==
t_pcapcnt))) {
883 const TCPHdr *tcph = PacketGetTCP(p);
942 if (PacketIsIPv4(p)) {
952 }
else if (PacketIsIPv6(p)) {
978 #define StreamTcpUpdateLastAck(ssn, stream, ack) { \
979 if (SEQ_GT((ack), (stream)->last_ack)) \
981 SCLogDebug("ssn %p: last_ack set to %"PRIu32", moved %u forward", (ssn), (ack), (ack) - (stream)->last_ack); \
982 if ((SEQ_LEQ((stream)->last_ack, (stream)->next_seq) && SEQ_GT((ack),(stream)->next_seq))) { \
983 SCLogDebug("last_ack just passed next_seq: %u (was %u) > %u", (ack), (stream)->last_ack, (stream)->next_seq); \
985 SCLogDebug("next_seq (%u) <> last_ack now %d", (stream)->next_seq, (int)(stream)->next_seq - (ack)); \
987 (stream)->last_ack = (ack); \
988 StreamTcpSackPruneList((stream)); \
990 SCLogDebug("ssn %p: no update: ack %u, last_ack %"PRIu32", next_seq %u (state %u)", \
991 (ssn), (ack), (stream)->last_ack, (stream)->next_seq, (ssn)->state); \
995 #define StreamTcpAsyncLastAckUpdate(ssn, stream) { \
996 if ((ssn)->flags & STREAMTCP_FLAG_ASYNC) { \
997 if (SEQ_GT((stream)->next_seq, (stream)->last_ack)) { \
998 uint32_t ack_diff = (stream)->next_seq - (stream)->last_ack; \
999 (stream)->last_ack += ack_diff; \
1000 SCLogDebug("ssn %p: ASYNC last_ack set to %"PRIu32", moved %u forward", \
1001 (ssn), (stream)->next_seq, ack_diff); \
1006 #define StreamTcpUpdateNextSeq(ssn, stream, seq) { \
1007 (stream)->next_seq = seq; \
1008 SCLogDebug("ssn %p: next_seq %" PRIu32, (ssn), (stream)->next_seq); \
1009 StreamTcpAsyncLastAckUpdate((ssn), (stream)); \
1019 #define StreamTcpUpdateNextWin(ssn, stream, win) { \
1020 uint32_t sacked_size__ = StreamTcpSackedSize((stream)); \
1021 if (SEQ_GT(((win) + sacked_size__), (stream)->next_win)) { \
1022 (stream)->next_win = ((win) + sacked_size__); \
1023 SCLogDebug("ssn %p: next_win set to %"PRIu32, (ssn), (stream)->next_win); \
1031 SCLogDebug(
"ssn %p: (state: %s) Reset received and state changed to "
1035 static bool IsMidstreamExceptionPolicyStatsValid(
enum ExceptionPolicy policy)
1049 static void StreamTcpMidstreamExceptionPolicyStatsIncr(
1058 static int StreamTcpPacketIsRetransmission(
TcpStream *stream,
Packet *p)
1063 const TCPHdr *tcph = PacketGetTCP(p);
1101 static int StreamTcpPacketStateNone(
1104 const TCPHdr *tcph = PacketGetTCP(p);
1107 SCLogDebug(
"RST packet received, no session setup");
1117 SCLogDebug(
"FIN packet received, no session setup");
1123 SCLogDebug(
"FIN packet received, no session setup");
1140 SCLogDebug(
"ssn %p: =~ midstream picked ssn state is now "
1172 SCLogDebug(
"ssn %p: ssn->client.next_win %" PRIu32
", "
1173 "ssn->server.next_win %" PRIu32
"",
1175 SCLogDebug(
"ssn %p: ssn->client.last_ack %" PRIu32
", "
1176 "ssn->server.last_ack %" PRIu32
"",
1184 SCLogDebug(
"ssn %p: ssn->server.last_ts %" PRIu32
" "
1185 "ssn->client.last_ts %" PRIu32
"",
1204 SCLogDebug(
"ssn %p: assuming SACK permitted for both sides", ssn);
1213 SCLogDebug(
"Midstream not enabled, so won't pick up a session");
1218 SCLogDebug(
"Midstream policy not permissive, so won't pick up a session");
1241 SCLogDebug(
"ssn %p: =~ midstream picked ssn state is now "
1242 "TCP_SYN_RECV", ssn);
1273 SCLogDebug(
"ssn %p: wscale enabled. client %u server %u",
1277 SCLogDebug(
"ssn %p: ssn->client.isn %"PRIu32
", ssn->client.next_seq"
1278 " %"PRIu32
", ssn->client.last_ack %"PRIu32
"", ssn,
1281 SCLogDebug(
"ssn %p: ssn->server.isn %"PRIu32
", ssn->server.next_seq"
1282 " %"PRIu32
", ssn->server.last_ack %"PRIu32
"", ssn,
1291 SCLogDebug(
"ssn %p: ssn->server.last_ts %" PRIu32
" "
1292 "ssn->client.last_ts %" PRIu32
"", ssn,
1310 SCLogDebug(
"ssn %p: SYN/ACK with SACK permitted, assuming "
1311 "SACK permitted for both sides", ssn);
1329 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_SYN_SENT", ssn);
1362 SCLogDebug(
"ssn %p: SACK permitted on SYN packet", ssn);
1369 SCLogDebug(
"ssn: %p (TFO) isn %u base_seq %u next_seq %u payload len %u", ssn,
1376 SCLogDebug(
"ssn %p: ssn->client.isn %" PRIu32
", "
1377 "ssn->client.next_seq %" PRIu32
", ssn->client.last_ack "
1387 SCLogDebug(
"Midstream not enabled, so won't pick up a session");
1392 SCLogDebug(
"Midstream policy not permissive, so won't pick up a session");
1409 SCLogDebug(
"ssn %p: =~ midstream picked ssn state is now "
1410 "TCP_ESTABLISHED", ssn);
1431 SCLogDebug(
"ssn %p: ssn->client.isn %u, ssn->client.next_seq %u",
1440 SCLogDebug(
"ssn %p: ssn->client.next_win %"PRIu32
", "
1441 "ssn->server.next_win %"PRIu32
"", ssn,
1443 SCLogDebug(
"ssn %p: ssn->client.last_ack %"PRIu32
", "
1444 "ssn->server.last_ack %"PRIu32
"", ssn,
1452 SCLogDebug(
"ssn %p: ssn->server.last_ts %" PRIu32
" "
1453 "ssn->client.last_ts %" PRIu32
"", ssn,
1472 SCLogDebug(
"ssn %p: assuming SACK permitted for both sides", ssn);
1486 const TCPHdr *tcph = PacketGetTCP(p);
1516 StreamTcp3whsSynAckToStateQueue(p, &search);
1524 search.
ts == q->
ts) {
1537 if (StreamTcp3whsFindSynAckBySynAck(ssn, p) != NULL)
1541 SCLogDebug(
"ssn %p: =~ SYN/ACK queue limit reached", ssn);
1547 SCLogDebug(
"ssn %p: =~ SYN/ACK queue failed: stream memcap reached", ssn);
1553 SCLogDebug(
"ssn %p: =~ SYN/ACK queue failed: alloc failed", ssn);
1558 StreamTcp3whsSynAckToStateQueue(p, q);
1572 const TCPHdr *tcph = PacketGetTCP(p);
1607 StreamTcp3whsSynAckToStateQueue(p, &update);
1614 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_SYN_RECV", ssn);
1630 SCLogDebug(
"ssn %p: ssn->server.last_ts %" PRIu32
" "
1631 "ssn->client.last_ts %" PRIu32
"", ssn,
1659 SCLogDebug(
"ssn %p: SACK permitted for session", ssn);
1666 SCLogDebug(
"ssn %p: ssn->server.next_win %" PRIu32
"", ssn,
1668 SCLogDebug(
"ssn %p: ssn->client.next_win %" PRIu32
"", ssn,
1670 SCLogDebug(
"ssn %p: ssn->server.isn %" PRIu32
", "
1671 "ssn->server.next_seq %" PRIu32
", "
1672 "ssn->server.last_ack %" PRIu32
" "
1673 "(ssn->client.last_ack %" PRIu32
")", ssn,
1680 SCLogDebug(
"ssn %p: STREAMTCP_FLAG_4WHS unset, normal SYN/ACK"
1681 " so considering 3WHS", ssn);
1692 static inline bool StateSynSentValidateTimestamp(
TcpSession *ssn,
Packet *p)
1702 if (receiver_stream->
last_ts != 0 && ts_echo != 0 &&
1703 ts_echo != receiver_stream->
last_ts)
1705 SCLogDebug(
"ssn %p: BAD TSECR echo %u recv %u", ssn,
1706 ts_echo, receiver_stream->
last_ts);
1710 if (receiver_stream->
last_ts == 0 && ts_echo != 0) {
1711 SCLogDebug(
"ssn %p: BAD TSECR echo %u recv %u", ssn,
1712 ts_echo, receiver_stream->
last_ts);
1722 memset(q, 0,
sizeof(*q));
1742 SCLogDebug(
"ssn %p: state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q, q->
seq, q->
win,
1748 #if defined(DEBUG_VALIDATION) || defined(DEBUG)
1752 memset(q, 0,
sizeof(*q));
1753 const TCPHdr *tcph = PacketGetTCP(p);
1771 SCLogDebug(
"ssn %p: state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q, q->
seq, q->
win,
1778 #if defined(DEBUG_VALIDATION) || defined(DEBUG)
1785 memset(q, 0,
sizeof(*q));
1787 const TCPHdr *tcph = PacketGetTCP(p);
1804 SCLogDebug(
"ssn %p: state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q, q->
seq, q->
win,
1814 SCLogDebug(
"ssn %p: search state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, s, s->
seq, s->
win,
1818 SCLogDebug(
"ssn %p: queue state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q, q->
seq,
1832 TcpStateQueueInitFromSsnSyn(ssn, &search);
1835 if (ssn->
queue != NULL && StreamTcp3whsFindSyn(ssn, &search) != NULL)
1839 SCLogDebug(
"ssn %p: =~ SYN queue limit reached", ssn);
1845 SCLogDebug(
"ssn %p: =~ SYN queue failed: stream memcap reached", ssn);
1851 SCLogDebug(
"ssn %p: =~ SYN queue failed: alloc failed", ssn);
1898 static int StreamTcpPacketStateSynSent(
1902 const TCPHdr *tcph = PacketGetTCP(p);
1908 SCLogDebug(
"ssn %p: SYN/ACK on SYN_SENT state for packet %" PRIu64, ssn, p->
pcap_cnt);
1915 SCLogDebug(
"ssn %p: ACK mismatch, packet ACK %" PRIu32
" != "
1916 "%" PRIu32
" from stream",
1922 SCLogDebug(
"ssn %p: (TFO) ACK matches next_seq, packet ACK %" PRIu32
" == "
1923 "%" PRIu32
" from stream",
1926 SCLogDebug(
"ssn %p: (TFO) ACK matches ISN+1, packet ACK %" PRIu32
" == "
1927 "%" PRIu32
" from stream",
1935 SCLogDebug(
"ssn %p: (TFO) ACK mismatch, packet ACK %" PRIu32
" != "
1936 "%" PRIu32
" from stream",
1944 const bool ts_mismatch = !StateSynSentValidateTimestamp(ssn, p);
1949 TcpStateQueueInitFromPktSynAck(p, &search);
1951 const TcpStateQueue *q = StreamTcp3whsFindSyn(ssn, &search);
1957 SCLogDebug(
"ssn %p: found queued SYN state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u",
1961 StreamTcp3whsStoreSynApplyToSsn(ssn, q);
1971 StreamTcp3wsFreeQueue(ssn);
1973 StreamTcp3whsSynAckUpdate(ssn, p, NULL);
1980 SCLogDebug(
"ssn %p: SYN/ACK received in the wrong direction", ssn);
1984 SCLogDebug(
"ssn %p: SYN/ACK received on 4WHS session", ssn);
1991 SCLogDebug(
"ssn %p: 4WHS ACK mismatch, packet ACK %" PRIu32
""
1992 " != %" PRIu32
" from stream",
2002 SCLogDebug(
"ssn %p: 4WHS SEQ mismatch, packet SEQ %" PRIu32
""
2003 " != %" PRIu32
" from *first* SYN pkt",
2010 SCLogDebug(
"ssn %p: =~ 4WHS ssn state is now TCP_SYN_RECV", ssn);
2024 SCLogDebug(
"ssn %p: 4WHS ssn->client.last_ts %" PRIu32
" "
2025 "ssn->server.last_ts %" PRIu32
"",
2050 SCLogDebug(
"ssn %p: SACK permitted for 4WHS session", ssn);
2057 SCLogDebug(
"ssn %p: 4WHS ssn->client.isn %" PRIu32
", "
2058 "ssn->client.next_seq %" PRIu32
", "
2059 "ssn->client.last_ack %" PRIu32
" "
2060 "(ssn->server.last_ack %" PRIu32
")",
2069 if (StateSynSentValidateTimestamp(ssn, p) ==
false) {
2077 if (!StreamTcpValidateRst(ssn, p))
2084 SCLogDebug(
"ssn->server.flags |= STREAMTCP_STREAM_FLAG_RST_RECV");
2086 StreamTcpCloseSsnWithReset(p, ssn);
2087 StreamTcp3wsFreeQueue(ssn);
2091 SCLogDebug(
"ssn->client.flags |= STREAMTCP_STREAM_FLAG_RST_RECV");
2092 StreamTcpCloseSsnWithReset(p, ssn);
2093 StreamTcp3wsFreeQueue(ssn);
2101 SCLogDebug(
"ssn %p: SYN packet on state SYN_SENT... resent", ssn);
2103 SCLogDebug(
"ssn %p: SYN packet on state SYN_SENT... resent of "
2116 SCLogDebug(
"ssn %p: STREAMTCP_FLAG_4WHS flag set", ssn);
2153 SCLogDebug(
"ssn %p: 4WHS ssn->server.isn %" PRIu32
", "
2154 "ssn->server.next_seq %" PRIu32
", "
2155 "ssn->server.last_ack %"PRIu32
"", ssn,
2158 SCLogDebug(
"ssn %p: 4WHS ssn->client.isn %" PRIu32
", "
2159 "ssn->client.next_seq %" PRIu32
", "
2160 "ssn->client.last_ack %"PRIu32
"", ssn,
2169 TcpStateQueueInitFromPktSyn(p, &syn_pkt);
2170 TcpStateQueueInitFromSsnSyn(ssn, &syn_ssn);
2172 if (memcmp(&syn_pkt, &syn_ssn,
sizeof(
TcpStateQueue)) != 0) {
2174 StreamTcp3whsStoreSyn(ssn, p);
2175 SCLogDebug(
"ssn %p: Retransmitted SYN. Updating ssn from packet %" PRIu64
2176 ". Stored previous state",
2179 StreamTcp3whsStoreSynApplyToSsn(ssn, &syn_pkt);
2195 SCLogDebug(
"ssn %p: SEQ mismatch, packet SEQ %" PRIu32
" != "
2196 "%" PRIu32
" from stream",
2203 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2204 StreamTcp3wsFreeQueue(ssn);
2217 SCLogDebug(
"ssn %p: synsent => Asynchronous stream, packet SEQ"
2218 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2219 "ssn->client.next_seq %" PRIu32
"",
2268 static int StreamTcpPacketStateSynRecv(
2272 const TCPHdr *tcph = PacketGetTCP(p);
2275 if (!StreamTcpValidateRst(ssn, p))
2292 SCLogDebug(
"Detection evasion has been attempted, so"
2293 " not resetting the connection !!");
2301 SCLogDebug(
"Detection evasion has been attempted, so"
2302 " not resetting the connection !!");
2308 StreamTcpCloseSsnWithReset(p, ssn);
2311 StreamTcpHandleTimestamp(ssn, p);
2318 if (!StreamTcpValidateTimestamp(ssn, p))
2322 if ((StreamTcpHandleFin(
tv, stt, ssn, p)) == -1)
2327 SCLogDebug(
"ssn %p: SYN/ACK packet on state SYN_RECV. resent", ssn);
2330 SCLogDebug(
"ssn %p: SYN/ACK-pkt to server in SYN_RECV state", ssn);
2339 SCLogDebug(
"ssn %p: ACK mismatch, packet ACK %" PRIu32
" != "
2340 "%" PRIu32
" from stream",
2350 SCLogDebug(
"ssn %p: SEQ mismatch, packet SEQ %" PRIu32
" != "
2351 "%" PRIu32
" from stream",
2354 if (StreamTcp3whsQueueSynAck(ssn, p) == -1)
2356 SCLogDebug(
"ssn %p: queued different SYN/ACK", ssn);
2360 SCLogDebug(
"ssn %p: SYN packet on state SYN_RECV... resent", ssn);
2363 SCLogDebug(
"ssn %p: SYN-pkt to client in SYN_RECV state", ssn);
2370 SCLogDebug(
"ssn %p: SYN with different SEQ on SYN_RECV state", ssn);
2378 SCLogDebug(
"ssn %p: checking ACK against queued SYN/ACKs", ssn);
2381 SCLogDebug(
"ssn %p: here we update state against queued SYN/ACK", ssn);
2382 StreamTcp3whsSynAckUpdate(ssn, p, q);
2384 SCLogDebug(
"ssn %p: none found, now checking ACK against original SYN/ACK (state)", ssn);
2394 if (!(StreamTcpValidateTimestamp(ssn, p))) {
2400 SCLogDebug(
"ssn %p: ACK received on 4WHS session",ssn);
2403 SCLogDebug(
"ssn %p: 4WHS wrong seq nr on packet", ssn);
2408 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
2409 SCLogDebug(
"ssn %p: 4WHS invalid ack nr on packet", ssn);
2415 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
2416 "%" PRIu32
", ACK %" PRIu32
"",
2420 StreamTcpHandleTimestamp(ssn, p);
2429 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2433 SCLogDebug(
"ssn %p: ssn->client.next_win %" PRIu32
", "
2434 "ssn->client.last_ack %"PRIu32
"", ssn,
2439 bool ack_indicates_missed_3whs_ack_packet =
false;
2449 SCLogDebug(
"ssn %p: ACK received on midstream SYN/ACK "
2450 "pickup session",ssn);
2453 SCLogDebug(
"ssn %p: ACK received on TFO session",ssn);
2470 SCLogDebug(
"ssn %p: possible data injection", ssn);
2475 SCLogDebug(
"ssn %p: ACK received in the wrong direction",
2480 ack_indicates_missed_3whs_ack_packet =
true;
2484 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ %" PRIu32
""
2485 ", ACK %" PRIu32
"",
2497 StreamTcpHandleTimestamp(ssn, p);
2521 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2539 StreamTcpHandleTimestamp(ssn, p);
2552 SCLogDebug(
"ssn %p: synrecv => Asynchronous stream, packet SEQ"
2553 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2554 "ssn->server.next_seq %" PRIu32,
2559 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2568 SCLogDebug(
"ssn %p: wrong ack nr on packet, possible evasion!!",
2578 SCLogDebug(
"ssn %p: ACK for missing data", ssn);
2581 StreamTcpHandleTimestamp(ssn, p);
2587 SCLogDebug(
"ssn %p: ACK for missing data: ssn->server.next_seq %u", ssn,
2597 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2606 SCLogDebug(
"ssn %p: ACK for missing data", ssn);
2609 StreamTcpHandleTimestamp(ssn, p);
2631 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2636 }
else if ((ack_indicates_missed_3whs_ack_packet ||
2640 if (ack_indicates_missed_3whs_ack_packet) {
2641 SCLogDebug(
"ssn %p: packet fits perfectly after a missed 3whs-ACK", ssn);
2643 SCLogDebug(
"ssn %p: (TFO) expected packet fits perfectly after SYN/ACK", ssn);
2652 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2657 SCLogDebug(
"ssn %p: wrong seq nr on packet", ssn);
2663 SCLogDebug(
"ssn %p: ssn->server.next_win %" PRIu32
", "
2664 "ssn->server.last_ack %"PRIu32
"", ssn,
2686 static int HandleEstablishedPacketToServer(
2689 const TCPHdr *tcph = PacketGetTCP(p);
2694 SCLogDebug(
"ssn %p: =+ pkt (%" PRIu32
") is to server: SEQ %" PRIu32
","
2695 "ACK %" PRIu32
", WIN %" PRIu16
"",
2701 SCLogDebug(
"ssn %p: accepting ACK as it ACKs the one byte from the ZWP", ssn);
2704 }
else if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
2705 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
2713 SCLogDebug(
"ssn %p: pkt is keep alive", ssn);
2718 SCLogDebug(
"ssn %p: server => Asynchronous stream, packet SEQ"
2719 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"),"
2720 " ssn->client.last_ack %" PRIu32
", ssn->client.next_win"
2721 "%" PRIu32
"(%" PRIu32
")",
2731 SCLogDebug(
"ssn %p: server => Asynchronous stream, packet SEQ."
2732 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2733 "ssn->client.last_ack %" PRIu32
", ssn->client.next_win "
2734 "%" PRIu32
"(%" PRIu32
")",
2746 SCLogDebug(
"ssn %p: server => Asynchronous stream, packet SEQ"
2747 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2748 "ssn->client.last_ack %" PRIu32
", ssn->client.next_win "
2749 "%" PRIu32
"(%" PRIu32
")",
2764 SCLogDebug(
"ssn %p: PKT SEQ %" PRIu32
" payload_len %" PRIu16
2765 " before last_ack %" PRIu32
", after next_seq %" PRIu32
":"
2766 " acked data that we haven't seen before",
2769 SCLogDebug(
"ssn %p: server => SEQ before last_ack, packet SEQ"
2770 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2771 "ssn->client.last_ack %" PRIu32
", ssn->client.next_win "
2772 "%" PRIu32
"(%" PRIu32
")",
2776 SCLogDebug(
"ssn %p: rejecting because pkt before last_ack", ssn);
2782 int zerowindowprobe = 0;
2785 SCLogDebug(
"ssn %p: zero window probe", ssn);
2786 zerowindowprobe = 1;
2796 if (zerowindowprobe) {
2797 SCLogDebug(
"ssn %p: zero window probe, skipping oow check", ssn);
2800 SCLogDebug(
"ssn %p: seq %" PRIu32
" in window, ssn->client.next_win "
2805 SCLogDebug(
"ssn %p: ssn->server.window %"PRIu32
"", ssn,
2822 StreamTcpHandleTimestamp(ssn, p);
2834 SCLogDebug(
"ssn %p: toserver => SEQ out of window, packet SEQ "
2835 "%" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"),"
2836 "ssn->client.last_ack %" PRIu32
", ssn->client.next_win "
2837 "%" PRIu32
"(%" PRIu32
")",
2841 StreamTcpSackedSize(&ssn->
client));
2861 static int HandleEstablishedPacketToClient(
2864 const TCPHdr *tcph = PacketGetTCP(p);
2869 SCLogDebug(
"ssn %p: =+ pkt (%" PRIu32
") is to client: SEQ %" PRIu32
","
2870 " ACK %" PRIu32
", WIN %" PRIu16
"",
2876 SCLogDebug(
"ssn %p: accepting ACK as it ACKs the one byte from the ZWP", ssn);
2879 }
else if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
2880 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
2894 SCLogDebug(
"ssn %p: adjusted midstream ssn->server.next_win to "
2900 SCLogDebug(
"ssn %p: pkt is keep alive", ssn);
2906 SCLogDebug(
"ssn %p: client => Asynchronous stream, packet SEQ"
2907 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"),"
2908 " ssn->client.last_ack %" PRIu32
", ssn->client.next_win"
2909 " %" PRIu32
"(%" PRIu32
")",
2920 SCLogDebug(
"ssn %p: PKT SEQ %" PRIu32
" payload_len %" PRIu16
2921 " before last_ack %" PRIu32
", after next_seq %" PRIu32
":"
2922 " acked data that we haven't seen before",
2925 SCLogDebug(
"ssn %p: PKT SEQ %" PRIu32
" payload_len %" PRIu16
2926 " before last_ack %" PRIu32
". next_seq %" PRIu32,
2933 int zerowindowprobe = 0;
2936 SCLogDebug(
"ssn %p: zero window probe", ssn);
2937 zerowindowprobe = 1;
2948 if (zerowindowprobe) {
2949 SCLogDebug(
"ssn %p: zero window probe, skipping oow check", ssn);
2952 SCLogDebug(
"ssn %p: seq %" PRIu32
" in window, ssn->server.next_win "
2956 SCLogDebug(
"ssn %p: ssn->client.window %"PRIu32
"", ssn,
2969 StreamTcpHandleTimestamp(ssn, p);
2978 SCLogDebug(
"ssn %p: client => SEQ out of window, packet SEQ"
2979 "%" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"),"
2980 " ssn->server.last_ack %" PRIu32
", ssn->server.next_win "
2981 "%" PRIu32
"(%" PRIu32
")",
3002 static inline uint32_t StreamTcpResetGetMaxAck(
TcpStream *stream, uint32_t
seq)
3008 if (
SEQ_GT(tail_seq, ack)) {
3016 static bool StreamTcpPacketIsZeroWindowProbeAck(
const TcpSession *ssn,
const Packet *p)
3018 const TCPHdr *tcph = PacketGetTCP(p);
3042 if (pkt_win != rcv->
window)
3049 SCLogDebug(
"ssn %p: packet %" PRIu64
" is a Zero Window Probe ACK", ssn, p->
pcap_cnt);
3056 static bool StreamTcpPacketIsDupAck(
const TcpSession *ssn,
const Packet *p)
3058 const TCPHdr *tcph = PacketGetTCP(p);
3076 if (pkt_win == 0 || rcv->
window == 0)
3078 if (pkt_win != rcv->
window)
3086 SCLogDebug(
"ssn %p: packet:%" PRIu64
" seq:%u ack:%u win:%u snd %u:%u:%u rcv %u:%u:%u", ssn,
3110 const TCPHdr *tcph = PacketGetTCP(p);
3161 static int StreamTcpPacketIsSpuriousRetransmission(
const TcpSession *ssn,
Packet *p)
3172 const TCPHdr *tcph = PacketGetTCP(p);
3178 "ssn %p: spurious retransmission; packet entirely before base_seq: SEQ %u(%u) "
3179 "last_ack %u base_seq %u",
3188 SCLogDebug(
"ssn %p: spurious retransmission; packet entirely before last_ack: SEQ %u(%u) "
3196 SCLogDebug(
"ssn %p: NOT spurious retransmission; packet NOT entirely before last_ack: SEQ "
3197 "%u(%u) last_ack %u, base_seq %u",
3214 static int StreamTcpPacketStateEstablished(
3218 const TCPHdr *tcph = PacketGetTCP(p);
3224 if (!StreamTcpValidateRst(ssn, p))
3228 StreamTcpCloseSsnWithReset(p, ssn);
3232 SCLogDebug(
"ssn %p: ssn->server.next_seq %" PRIu32
"", ssn,
3238 ssn, &ssn->
server, StreamTcpResetGetMaxAck(&ssn->
server, window));
3243 StreamTcpHandleTimestamp(ssn, p);
3247 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3255 StreamTcpCloseSsnWithReset(p, ssn);
3260 SCLogDebug(
"ssn %p: ssn->server.next_seq %" PRIu32
"", ssn,
3266 ssn, &ssn->
client, StreamTcpResetGetMaxAck(&ssn->
client, ack));
3271 StreamTcpHandleTimestamp(ssn, p);
3275 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3286 if (!StreamTcpValidateTimestamp(ssn, p))
3291 " %" PRIu32
", last ACK %" PRIu32
", next win %"PRIu32
","
3296 if ((StreamTcpHandleFin(
tv, stt, ssn, p)) == -1)
3301 SCLogDebug(
"ssn %p: SYN/ACK packet on state ESTABLISHED... resent",
3305 SCLogDebug(
"ssn %p: SYN/ACK-pkt to server in ESTABLISHED state", ssn);
3314 SCLogDebug(
"ssn %p: ACK mismatch, packet ACK %" PRIu32
" != "
3315 "%" PRIu32
" from stream",
3325 SCLogDebug(
"ssn %p: SEQ mismatch, packet SEQ %" PRIu32
" != "
3326 "%" PRIu32
" from stream",
3339 SCLogDebug(
"ssn %p: SYN/ACK packet on state ESTABLISHED... resent. "
3340 "Likely due server not receiving final ACK in 3whs", ssn);
3344 SCLogDebug(
"ssn %p: SYN packet on state ESTABLISHED... resent", ssn);
3346 SCLogDebug(
"ssn %p: SYN-pkt to client in EST state", ssn);
3353 SCLogDebug(
"ssn %p: SYN with different SEQ on SYN_RECV state", ssn);
3374 if (!StreamTcpValidateTimestamp(ssn, p))
3380 HandleEstablishedPacketToServer(
tv, ssn, p, stt);
3382 SCLogDebug(
"ssn %p: next SEQ %" PRIu32
", last ACK %" PRIu32
","
3383 " next win %" PRIu32
", win %" PRIu32
"", ssn,
3390 SCLogDebug(
"3whs is now confirmed by server");
3394 HandleEstablishedPacketToClient(
tv, ssn, p, stt);
3396 SCLogDebug(
"ssn %p: next SEQ %" PRIu32
", last ACK %" PRIu32
","
3397 " next win %" PRIu32
", win %" PRIu32
"", ssn,
3422 const TCPHdr *tcph = PacketGetTCP(p);
3428 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ %" PRIu32
","
3432 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3433 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3439 SCLogDebug(
"ssn %p: -> SEQ %u, re %u. last_ack %u next_win %u", ssn,
seq, pkt_re,
3444 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
" != "
3445 "%" PRIu32
" from stream",
3458 SCLogDebug(
"ssn %p: state changed to TCP_CLOSE_WAIT", ssn);
3463 SCLogDebug(
"ssn %p: ssn->client.next_seq %" PRIu32
"", ssn,
3468 StreamTcpHandleTimestamp(ssn, p);
3481 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK %" PRIu32
"",
3484 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ %" PRIu32
", "
3488 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3489 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3495 SCLogDebug(
"ssn %p: -> SEQ %u, re %u. last_ack %u next_win %u", ssn,
seq, pkt_re,
3500 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
" != "
3501 "%" PRIu32
" from stream (last_ack %u win %u = %u)",
3510 SCLogDebug(
"ssn %p: state changed to TCP_FIN_WAIT1", ssn);
3519 StreamTcpHandleTimestamp(ssn, p);
3532 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK %" PRIu32
"",
3552 static int StreamTcpPacketStateFinWait1(
3556 const TCPHdr *tcph = PacketGetTCP(p);
3562 if (!StreamTcpValidateRst(ssn, p))
3565 StreamTcpCloseSsnWithReset(p, ssn);
3570 ssn, &ssn->
server, StreamTcpResetGetMaxAck(&ssn->
server, ack));
3575 StreamTcpHandleTimestamp(ssn, p);
3582 ssn, &ssn->
client, StreamTcpResetGetMaxAck(&ssn->
client, ack));
3587 StreamTcpHandleTimestamp(ssn, p);
3595 if (!StreamTcpValidateTimestamp(ssn, p))
3600 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3601 "%" PRIu32
", ACK %" PRIu32
"",
3603 int retransmission = 0;
3605 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
3606 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3612 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3613 " != %" PRIu32
" from stream",
3619 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3620 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3625 if (!retransmission) {
3627 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
3633 StreamTcpHandleTimestamp(ssn, p);
3649 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3653 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
3654 "%" PRIu32
", ACK %" PRIu32
"",
3656 int retransmission = 0;
3658 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
3659 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3664 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3670 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3671 " != %" PRIu32
" from stream",
3677 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3678 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3684 StreamTcpHandleTimestamp(ssn, p);
3687 if (!retransmission) {
3689 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
3707 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3714 if (!StreamTcpValidateTimestamp(ssn, p))
3719 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3720 "%" PRIu32
", ACK %" PRIu32
"",
3722 int retransmission = 0;
3724 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
3725 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3731 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3732 " != %" PRIu32
" from stream",
3738 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3739 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3744 if (!retransmission) {
3746 SCLogDebug(
"ssn %p: state changed to TCP_CLOSING", ssn);
3752 StreamTcpHandleTimestamp(ssn, p);
3769 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3773 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
3774 "%" PRIu32
", ACK %" PRIu32
"",
3777 int retransmission = 0;
3779 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
3780 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3786 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3787 " != %" PRIu32
" from stream",
3793 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3794 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3799 if (!retransmission) {
3801 SCLogDebug(
"ssn %p: state changed to TCP_CLOSING", ssn);
3807 StreamTcpHandleTimestamp(ssn, p);
3824 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3829 SCLogDebug(
"ssn (%p): SYN pkt on FinWait1", ssn);
3835 if (!StreamTcpValidateTimestamp(ssn, p))
3840 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3841 "%" PRIu32
", ACK %" PRIu32
"",
3843 int retransmission = 0;
3845 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
3846 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3851 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3852 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3859 "ssn %p: ACK's older segment as %u < %u", ssn, ack, ssn->
server.
next_seq);
3860 }
else if (!retransmission) {
3864 SCLogDebug(
"ssn %p: seq %" PRIu32
" in window, ssn->client.next_win "
3870 SCLogDebug(
"ssn %p: state changed to TCP_FIN_WAIT2", ssn);
3873 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3874 " != %" PRIu32
" from stream",
3886 StreamTcpHandleTimestamp(ssn, p);
3907 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3913 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
3914 "%" PRIu32
", ACK %" PRIu32
"",
3917 int retransmission = 0;
3919 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
3920 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3925 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3926 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3931 if (!retransmission) {
3934 SCLogDebug(
"ssn %p: seq %" PRIu32
" in window, ssn->server.next_win "
3940 SCLogDebug(
"ssn %p: state changed to TCP_FIN_WAIT2", ssn);
3943 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3944 " != %" PRIu32
" from stream",
3954 StreamTcpHandleTimestamp(ssn, p);
3975 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3996 static int StreamTcpPacketStateFinWait2(
4000 const TCPHdr *tcph = PacketGetTCP(p);
4006 if (!StreamTcpValidateRst(ssn, p))
4009 StreamTcpCloseSsnWithReset(p, ssn);
4014 ssn, &ssn->
server, StreamTcpResetGetMaxAck(&ssn->
server, ack));
4019 StreamTcpHandleTimestamp(ssn, p);
4026 ssn, &ssn->
client, StreamTcpResetGetMaxAck(&ssn->
client, ack));
4031 StreamTcpHandleTimestamp(ssn, p);
4039 if (!StreamTcpValidateTimestamp(ssn, p))
4044 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4045 "%" PRIu32
", ACK %" PRIu32
"",
4047 int retransmission = 0;
4053 }
else if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4054 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4060 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ "
4061 "%" PRIu32
" != %" PRIu32
" from stream",
4067 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4068 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4073 if (!retransmission) {
4075 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
4085 StreamTcpHandleTimestamp(ssn, p);
4098 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4102 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4103 "%" PRIu32
", ACK %" PRIu32
"",
4105 int retransmission = 0;
4111 }
else if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4112 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4118 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ "
4119 "%" PRIu32
" != %" PRIu32
" from stream",
4125 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
4126 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4131 if (!retransmission) {
4133 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
4139 StreamTcpHandleTimestamp(ssn, p);
4151 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4157 SCLogDebug(
"ssn (%p): SYN pkt on FinWait2", ssn);
4163 if (!StreamTcpValidateTimestamp(ssn, p))
4168 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4169 "%" PRIu32
", ACK %" PRIu32
"",
4171 int retransmission = 0;
4173 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4174 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4179 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4180 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4185 if (!retransmission) {
4188 SCLogDebug(
"ssn %p: seq %" PRIu32
" in window, ssn->client.next_win "
4193 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4194 " != %" PRIu32
" from stream",
4204 StreamTcpHandleTimestamp(ssn, p);
4220 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4224 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4225 "%" PRIu32
", ACK %" PRIu32
"",
4227 int retransmission = 0;
4229 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4230 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4235 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
4236 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4241 if (!retransmission) {
4244 SCLogDebug(
"ssn %p: seq %" PRIu32
" in window, ssn->server.next_win "
4248 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4249 " != %" PRIu32
" from stream",
4259 StreamTcpHandleTimestamp(ssn, p);
4275 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4296 static int StreamTcpPacketStateClosing(
4300 const TCPHdr *tcph = PacketGetTCP(p);
4306 if (!StreamTcpValidateRst(ssn, p))
4309 StreamTcpCloseSsnWithReset(p, ssn);
4314 ssn, &ssn->
server, StreamTcpResetGetMaxAck(&ssn->
server, ack));
4319 StreamTcpHandleTimestamp(ssn, p);
4326 ssn, &ssn->
client, StreamTcpResetGetMaxAck(&ssn->
client, ack));
4331 StreamTcpHandleTimestamp(ssn, p);
4338 SCLogDebug(
"ssn (%p): SYN pkt on Closing", ssn);
4344 if (!StreamTcpValidateTimestamp(ssn, p))
4349 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4350 "%" PRIu32
", ACK %" PRIu32
"",
4352 int retransmission = 0;
4353 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4354 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4360 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4361 " != %" PRIu32
" from stream",
4367 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4368 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4373 if (!retransmission) {
4375 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
4381 StreamTcpHandleTimestamp(ssn, p);
4391 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4395 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4396 "%" PRIu32
", ACK %" PRIu32
"",
4398 int retransmission = 0;
4399 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4400 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4406 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4407 " != %" PRIu32
" from stream",
4413 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
4414 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4419 if (!retransmission) {
4421 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
4427 StreamTcpHandleTimestamp(ssn, p);
4438 SCLogDebug(
"StreamTcpPacketStateClosing (%p): =+ next SEQ "
4439 "%" PRIu32
", last ACK %" PRIu32
"", ssn,
4459 static int StreamTcpPacketStateCloseWait(
4463 const TCPHdr *tcph = PacketGetTCP(p);
4471 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4472 "%" PRIu32
", ACK %" PRIu32
"",
4475 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4476 "%" PRIu32
", ACK %" PRIu32
"",
4481 if (!StreamTcpValidateRst(ssn, p))
4484 StreamTcpCloseSsnWithReset(p, ssn);
4489 ssn, &ssn->
server, StreamTcpResetGetMaxAck(&ssn->
server, ack));
4494 StreamTcpHandleTimestamp(ssn, p);
4501 ssn, &ssn->
client, StreamTcpResetGetMaxAck(&ssn->
client, ack));
4506 StreamTcpHandleTimestamp(ssn, p);
4514 if (!StreamTcpValidateTimestamp(ssn, p))
4519 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4520 "%" PRIu32
", ACK %" PRIu32
"",
4523 int retransmission = 0;
4524 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4525 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4530 if (!retransmission) {
4533 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4534 " != %" PRIu32
" from stream",
4541 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4542 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4549 if (!retransmission)
4553 StreamTcpHandleTimestamp(ssn, p);
4565 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4569 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4570 "%" PRIu32
", ACK %" PRIu32
"",
4573 int retransmission = 0;
4574 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4575 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4580 if (!retransmission) {
4583 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4584 " != %" PRIu32
" from stream",
4591 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
4592 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4597 if (!retransmission) {
4599 SCLogDebug(
"ssn %p: state changed to TCP_LAST_ACK", ssn);
4605 StreamTcpHandleTimestamp(ssn, p);
4617 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4623 SCLogDebug(
"ssn (%p): SYN pkt on CloseWait", ssn);
4629 if (!StreamTcpValidateTimestamp(ssn, p))
4634 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4635 "%" PRIu32
", ACK %" PRIu32
"",
4638 int retransmission = 0;
4639 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4640 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4646 SCLogDebug(
"ssn %p: -> retransmission", ssn);
4651 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4652 " != %" PRIu32
" from stream",
4658 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4659 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4664 if (!retransmission) {
4669 StreamTcpHandleTimestamp(ssn, p);
4683 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4687 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4688 "%" PRIu32
", ACK %" PRIu32
"",
4690 int retransmission = 0;
4691 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4692 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4698 SCLogDebug(
"ssn %p: -> retransmission", ssn);
4703 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4704 " != %" PRIu32
" from stream",
4710 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
4711 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4716 if (!retransmission) {
4721 StreamTcpHandleTimestamp(ssn, p);
4735 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4756 static int StreamTcpPacketStateLastAck(
4760 const TCPHdr *tcph = PacketGetTCP(p);
4766 if (!StreamTcpValidateRst(ssn, p))
4769 StreamTcpCloseSsnWithReset(p, ssn);
4774 ssn, &ssn->
server, StreamTcpResetGetMaxAck(&ssn->
server, ack));
4779 StreamTcpHandleTimestamp(ssn, p);
4786 ssn, &ssn->
client, StreamTcpResetGetMaxAck(&ssn->
client, ack));
4791 StreamTcpHandleTimestamp(ssn, p);
4799 SCLogDebug(
"ssn (%p): FIN pkt on LastAck", ssn);
4802 SCLogDebug(
"ssn (%p): SYN pkt on LastAck", ssn);
4808 if (!StreamTcpValidateTimestamp(ssn, p))
4813 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4814 "%" PRIu32
", ACK %" PRIu32
"",
4817 int retransmission = 0;
4818 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4819 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4824 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4825 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4830 if (!retransmission) {
4832 SCLogDebug(
"ssn %p: not updating state as packet is before next_seq", ssn);
4834 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4835 " != %" PRIu32
" from stream",
4841 SCLogDebug(
"ssn %p: state changed to TCP_CLOSED", ssn);
4847 StreamTcpHandleTimestamp(ssn, p);
4858 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4879 static int StreamTcpPacketStateTimeWait(
4883 const TCPHdr *tcph = PacketGetTCP(p);
4889 if (!StreamTcpValidateRst(ssn, p))
4892 StreamTcpCloseSsnWithReset(p, ssn);
4897 ssn, &ssn->
server, StreamTcpResetGetMaxAck(&ssn->
server, ack));
4902 StreamTcpHandleTimestamp(ssn, p);
4909 ssn, &ssn->
client, StreamTcpResetGetMaxAck(&ssn->
client, ack));
4914 StreamTcpHandleTimestamp(ssn, p);
4924 SCLogDebug(
"ssn (%p): SYN pkt on TimeWait", ssn);
4930 if (!StreamTcpValidateTimestamp(ssn, p))
4935 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4936 "%" PRIu32
", ACK %" PRIu32
"",
4938 int retransmission = 0;
4939 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4940 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4945 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4946 " != %" PRIu32
" from stream",
4952 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4953 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4958 if (!retransmission) {
4960 SCLogDebug(
"ssn %p: state changed to TCP_CLOSED", ssn);
4966 StreamTcpHandleTimestamp(ssn, p);
4977 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4981 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4982 "%" PRIu32
", ACK %" PRIu32
"",
4984 int retransmission = 0;
4985 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4986 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4991 SCLogDebug(
"ssn %p: -> retransmission", ssn);
4994 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4995 " != %" PRIu32
" from stream",
5002 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
5003 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
5008 if (!retransmission) {
5010 SCLogDebug(
"ssn %p: state changed to TCP_CLOSED", ssn);
5016 StreamTcpHandleTimestamp(ssn, p);
5027 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
5039 static int StreamTcpPacketStateClosed(
5044 const TCPHdr *tcph = PacketGetTCP(p);
5050 TcpStream *stream = NULL, *ostream = NULL;
5067 if (StreamTcpStateDispatch(
tv, p, stt, ssn, ssn->
pstate) < 0)
5082 const TCPHdr *tcph = PacketGetTCP(p);
5096 SCLogDebug(
"regular packet %"PRIu64
" from same sender as "
5097 "the previous RST. Looks like it injected!", p->
pcap_cnt);
5123 const TCPHdr *tcph = PacketGetTCP(p);
5128 TcpStream *stream = NULL, *ostream = NULL;
5139 if (ack == ostream->last_ack &&
seq == (stream->
next_seq - 1)) {
5155 TcpStream *stream = NULL, *ostream = NULL;
5166 const TCPHdr *tcph = PacketGetTCP(p);
5185 if (pkt_win != ostream->window)
5194 SCLogDebug(
"seq %u (%u), ack %u (%u) FLAG_KEEPALIVE: %s",
seq, stream->
next_seq, ack, ostream->last_ack,
5224 TcpStream *stream = NULL, *ostream = NULL;
5238 const TCPHdr *tcph = PacketGetTCP(p);
5257 if (pkt_win == ostream->window)
5260 if (ack == ostream->last_ack &&
seq == stream->
next_seq) {
5275 TcpStream *stream = NULL, *ostream = NULL;
5283 const TCPHdr *tcph = PacketGetTCP(p);
5300 SCLogDebug(
"%"PRIu64
", seq %u ack %u stream->next_seq %u ostream->next_seq %u",
5328 TcpStream *stream = NULL, *ostream = NULL;
5339 const TCPHdr *tcph = PacketGetTCP(p);
5355 if (pkt_win < ostream->window) {
5356 uint32_t diff = ostream->window - pkt_win;
5358 SEQ_GT(ack, ostream->next_seq) &&
5361 SCLogDebug(
"%"PRIu64
", pkt_win %u, stream win %u, diff %u, dsize %u",
5363 SCLogDebug(
"%"PRIu64
", pkt_win %u, stream win %u",
5364 p->
pcap_cnt, pkt_win, ostream->window);
5365 SCLogDebug(
"%"PRIu64
", seq %u ack %u ostream->next_seq %u ostream->last_ack %u, ostream->next_win %u, diff %u (%u)",
5366 p->
pcap_cnt,
seq, ack, ostream->next_seq, ostream->last_ack, ostream->next_win,
5367 ostream->next_seq - ostream->last_ack, stream->
next_seq - stream->
last_ack);
5374 uint32_t adiff = ack - ostream->last_ack;
5375 if (((pkt_win > 1024) && (diff > (adiff + 32))) ||
5376 ((pkt_win <= 1024) && (diff > adiff)))
5378 SCLogDebug(
"pkt ACK %u is %u bytes beyond last_ack %u, shrinks window by %u "
5379 "(allowing 32 bytes extra): pkt WIN %u", ack, adiff, ostream->last_ack, diff, pkt_win);
5380 SCLogDebug(
"%u - %u = %u (state %u)", diff, adiff, diff - adiff, ssn->
state);
5395 static inline int StreamTcpStateDispatch(
5403 SCLogDebug(
"packet received on TCP_SYN_SENT state");
5404 if (StreamTcpPacketStateSynSent(
tv, p, stt, ssn)) {
5409 SCLogDebug(
"packet received on TCP_SYN_RECV state");
5410 if (StreamTcpPacketStateSynRecv(
tv, p, stt, ssn)) {
5415 SCLogDebug(
"packet received on TCP_ESTABLISHED state");
5416 if (StreamTcpPacketStateEstablished(
tv, p, stt, ssn)) {
5421 SCLogDebug(
"packet received on TCP_FIN_WAIT1 state");
5422 if (StreamTcpPacketStateFinWait1(
tv, p, stt, ssn)) {
5427 SCLogDebug(
"packet received on TCP_FIN_WAIT2 state");
5428 if (StreamTcpPacketStateFinWait2(
tv, p, stt, ssn)) {
5433 SCLogDebug(
"packet received on TCP_CLOSING state");
5434 if (StreamTcpPacketStateClosing(
tv, p, stt, ssn)) {
5439 SCLogDebug(
"packet received on TCP_CLOSE_WAIT state");
5440 if (StreamTcpPacketStateCloseWait(
tv, p, stt, ssn)) {
5445 SCLogDebug(
"packet received on TCP_LAST_ACK state");
5446 if (StreamTcpPacketStateLastAck(
tv, p, stt, ssn)) {
5451 SCLogDebug(
"packet received on TCP_TIME_WAIT state");
5452 if (StreamTcpPacketStateTimeWait(
tv, p, stt, ssn)) {
5458 SCLogDebug(
"packet received on closed state");
5460 if (StreamTcpPacketStateClosed(
tv, p, stt, ssn)) {
5466 SCLogDebug(
"packet received on default state");
5502 const TCPHdr *tcph = PacketGetTCP(p);
5517 SCLogDebug(
"ssn %p: removing ASYNC flag as we have packets on both sides", ssn);
5531 if (StreamTcpCheckFlowDrops(p) == 1) {
5541 if (StreamTcpPacketStateNone(
tv, p, stt, ssn) == -1) {
5567 if (StreamTcpPacketIsKeepAlive(ssn, p) == 1) {
5570 if (StreamTcpPacketIsKeepAliveACK(ssn, p) == 1) {
5571 StreamTcpClearKeepAliveFlag(ssn, p);
5574 StreamTcpClearKeepAliveFlag(ssn, p);
5576 const bool is_zwp_ack = StreamTcpPacketIsZeroWindowProbeAck(ssn, p);
5587 if (StreamTcpPacketIsDupAck(ssn, p) ==
true) {
5594 if (StreamTcpPacketIsFinShutdownAck(ssn, p) == 0) {
5595 if (StreamTcpPacketIsWindowUpdate(ssn, p) == 0) {
5596 if (StreamTcpPacketIsBadWindowUpdate(ssn,p))
5598 if (StreamTcpPacketIsOutdatedAck(ssn, p))
5603 int ret = StreamTcpPacketIsSpuriousRetransmission(ssn, p);
5612 if (StreamTcpStateDispatch(
tv, p, stt, ssn, ssn->
state) < 0)
5616 StreamTcpPacketCheckPostRst(ssn, p);
5665 SCLogDebug(
"bypass as stream is dead and we have no rules");
5678 if (StreamTcpInlineDropInvalid()) {
5682 DecodeSetNoPayloadInspectionFlag(p);
5696 static inline int StreamTcpValidateChecksum(
Packet *p)
5704 const TCPHdr *tcph = PacketGetTCP(p);
5705 if (PacketIsIPv4(p)) {
5706 const IPV4Hdr *ip4h = PacketGetIPv4(p);
5707 p->
l4.
csum = TCPChecksum(ip4h->s_ip_addrs, (uint16_t *)tcph,
5710 }
else if (PacketIsIPv6(p)) {
5711 const IPV6Hdr *ip6h = PacketGetIPv6(p);
5712 p->
l4.
csum = TCPV6Checksum(ip6h->s_ip6_addrs, (uint16_t *)tcph,
5733 static int TcpSessionPacketIsStreamStarter(
const Packet *p)
5735 const TCPHdr *tcph = PacketGetTCP(p);
5758 static bool TcpSessionReuseDoneEnoughSyn(
const Packet *p,
const Flow *f,
const TcpSession *ssn)
5760 const TCPHdr *tcph = PacketGetTCP(p);
5765 SCLogDebug(
"steam starter packet %" PRIu64
", ssn %p null. Reuse.", p->
pcap_cnt, ssn);
5770 ", ssn %p. STREAMTCP_FLAG_TFO_DATA_IGNORED set. Reuse.",
5775 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p. Packet SEQ == Stream ISN. Retransmission. Don't reuse.", p->
pcap_cnt, ssn);
5779 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state >= TCP_LAST_ACK (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5782 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state == TCP_NONE (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5785 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state < TCP_LAST_ACK (%u). Don't reuse.", p->
pcap_cnt, ssn, ssn->
state);
5795 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state >= TCP_LAST_ACK (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5798 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state == TCP_NONE (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5801 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state < TCP_LAST_ACK (%u). Don't reuse.", p->
pcap_cnt, ssn, ssn->
state);
5814 static bool TcpSessionReuseDoneEnoughSynAck(
const Packet *p,
const Flow *f,
const TcpSession *ssn)
5816 const TCPHdr *tcph = PacketGetTCP(p);
5819 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p null. No reuse.", p->
pcap_cnt, ssn);
5823 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p. Packet SEQ == Stream ISN. Retransmission. Don't reuse.", p->
pcap_cnt, ssn);
5827 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state >= TCP_LAST_ACK (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5830 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state == TCP_NONE (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5833 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state < TCP_LAST_ACK (%u). Don't reuse.", p->
pcap_cnt, ssn, ssn->
state);
5843 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state >= TCP_LAST_ACK (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5846 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state == TCP_NONE (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5849 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state < TCP_LAST_ACK (%u). Don't reuse.", p->
pcap_cnt, ssn, ssn->
state);
5865 const TCPHdr *tcph = PacketGetTCP(p);
5867 return TcpSessionReuseDoneEnoughSyn(p, f, ssn);
5872 return TcpSessionReuseDoneEnoughSynAck(p, f, ssn);
5881 if (p->
proto == IPPROTO_TCP && PacketIsTCP(p)) {
5882 if (TcpSessionPacketIsStreamStarter(p) == 1) {
5883 if (TcpSessionReuseDoneEnough(p, f, tcp_ssn) == 1) {
5906 if (!(PacketIsTCP(p))) {
5910 HandleThreadId(
tv, p, stt);
5916 if (StreamTcpValidateChecksum(p) == 0) {
5942 *data = (
void *)stt;
5951 IsStreamTcpSessionMemcapExceptionPolicyStatsValid);
5960 "tcp.midstream_exception_policy.", IsMidstreamExceptionPolicyStatsValid);
5964 "tcp.midstream_exception_policy.", IsMidstreamExceptionPolicyStatsValid);
5979 "tcp.reassembly_exception_policy.", IsReassemblyMemcapExceptionPolicyStatsValid);
5992 SCLogDebug(
"StreamTcp thread specific ctx online at %p, reassembly ctx %p",
6001 StreamTcpSessionPoolAlloc,
6002 StreamTcpSessionPoolInit, NULL,
6003 StreamTcpSessionPoolCleanup, NULL);
6013 SCLogError(
"failed to setup/expand stream session pool. Expand stream.memcap?");
6058 const TCPHdr *tcph = PacketGetTCP(p);
6066 if (!StreamTcpValidateTimestamp(ssn, p)) {
6095 StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
6096 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
6108 StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
6109 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
6122 receiver_stream = &ssn->
server;
6124 receiver_stream = &ssn->
client;
6126 SCLogDebug(
"ssn %p: setting STREAMTCP_STREAM_FLAG_RST_RECV on receiver stream", ssn);
6146 switch (os_policy) {
6153 SCLogDebug(
"reset is not Valid! Packet SEQ: %" PRIu32
" "
6154 "and server SEQ: %" PRIu32
"",
6163 SCLogDebug(
"reset is not valid! Packet SEQ: %" PRIu32
" "
6164 "and client SEQ: %" PRIu32
"",
6181 SCLogDebug(
"reset is not valid! Packet SEQ: %" PRIu32
" and"
6182 " server SEQ: %" PRIu32
"",
6194 SCLogDebug(
"reset is not valid! Packet SEQ: %" PRIu32
" and"
6195 " client SEQ: %" PRIu32
"",
6216 SCLogDebug(
"reset is not valid! Packet SEQ: %" PRIu32
" "
6217 "and server SEQ: %" PRIu32
"",
6223 SCLogDebug(
"reset is valid! Packet SEQ: %" PRIu32
" Stream %u",
seq,
6227 SCLogDebug(
"reset is not valid! Packet SEQ: %" PRIu32
" and"
6228 " client SEQ: %" PRIu32
"",
6259 uint8_t check_ts = 1;
6260 const TCPHdr *tcph = PacketGetTCP(p);
6264 sender_stream = &ssn->
client;
6265 receiver_stream = &ssn->
server;
6267 sender_stream = &ssn->
server;
6268 receiver_stream = &ssn->
client;
6279 uint32_t last_pkt_ts = sender_stream->
last_pkt_ts;
6280 uint32_t last_ts = sender_stream->
last_ts;
6330 SCLogDebug(
"ts %"PRIu32
", last_ts %"PRIu32
"",
ts, last_ts);
6334 result = (int32_t) ((
ts - last_ts) + 1);
6336 result = (int32_t) (
ts - last_ts);
6339 SCLogDebug(
"result %" PRIi32
", p->ts(secs) %" PRIuMAX
"", result,
6342 if (last_pkt_ts == 0 &&
6350 "%" PRIu32
" p->tcpvars->ts %" PRIu32
" result "
6351 "%" PRId32
"", last_ts,
ts, result);
6354 }
else if ((sender_stream->
last_ts != 0) &&
6356 SCLogDebug(
"packet is not valid last_pkt_ts "
6357 "%" PRIu32
" p->ts(sec) %" PRIu32
"",
6369 SCLogDebug(
"timestamp considered valid anyway");
6401 uint8_t check_ts = 1;
6402 const TCPHdr *tcph = PacketGetTCP(p);
6406 sender_stream = &ssn->
client;
6407 receiver_stream = &ssn->
server;
6409 sender_stream = &ssn->
server;
6410 receiver_stream = &ssn->
client;
6478 result = (int32_t) ((
ts - sender_stream->
last_ts) + 1);
6480 result = (int32_t) (
ts - sender_stream->
last_ts);
6483 SCLogDebug(
"result %" PRIi32
", p->ts(sec) %" PRIuMAX
"", result,
6493 SCLogDebug(
"timestamp is not valid sender_stream->last_ts "
6494 "%" PRIu32
" p->tcpvars->ts %" PRIu32
" result "
6495 "%" PRId32
"", sender_stream->
last_ts,
ts, result);
6498 }
else if ((sender_stream->
last_ts != 0) &&
6501 SCLogDebug(
"packet is not valid sender_stream->last_pkt_ts "
6502 "%" PRIu32
" p->ts(sec) %" PRIu32
"",
6516 }
else if (ret == 0) {
6526 SCLogDebug(
"timestamp considered valid anyway");
6562 const TCPHdr *tcph = PacketGetTCP(p);
6577 SCLogDebug(
"ssn %p: pkt ACK %" PRIu32
" == stream last ACK %" PRIu32, ssn, ack,
6590 SCLogDebug(
"ACK %"PRIu32
" is before last_ack %"PRIu32
" - window "
6591 "%"PRIu32
" = %"PRIu32, ack, stream->
last_ack,
6614 SCLogDebug(
"default path leading to invalid: ACK %"PRIu32
", last_ack %"PRIu32
6627 const uint32_t progress)
6685 static void StreamTcpPseudoPacketCreateDetectLogFlush(
ThreadVars *
tv,
6708 np->
proto = IPPROTO_TCP;
6709 FlowReference(&np->
flow, f);
6719 DecodeSetNoPacketInspectionFlag(np);
6722 DecodeSetNoPayloadInspectionFlag(np);
6762 ip4h->
ip_len = htons(40);
6768 ip4h->s_ip_src.s_addr = f->
src.addr_data32[0];
6769 ip4h->s_ip_dst.s_addr = f->
dst.addr_data32[0];
6771 ip4h->s_ip_src.s_addr = f->
dst.addr_data32[0];
6772 ip4h->s_ip_dst.s_addr = f->
src.addr_data32[0];
6805 ip6h->s_ip6_vfc = 0x60;
6806 ip6h->s_ip6_flow = 0;
6807 ip6h->s_ip6_nxt = IPPROTO_TCP;
6808 ip6h->s_ip6_plen = htons(20);
6809 ip6h->s_ip6_hlim = 64;
6811 ip6h->s_ip6_src[0] = f->
src.addr_data32[0];
6812 ip6h->s_ip6_src[1] = f->
src.addr_data32[1];
6813 ip6h->s_ip6_src[2] = f->
src.addr_data32[2];
6814 ip6h->s_ip6_src[3] = f->
src.addr_data32[3];
6815 ip6h->s_ip6_dst[0] = f->
dst.addr_data32[0];
6816 ip6h->s_ip6_dst[1] = f->
dst.addr_data32[1];
6817 ip6h->s_ip6_dst[2] = f->
dst.addr_data32[2];
6818 ip6h->s_ip6_dst[3] = f->
dst.addr_data32[3];
6820 ip6h->s_ip6_src[0] = f->
dst.addr_data32[0];
6821 ip6h->s_ip6_src[1] = f->
dst.addr_data32[1];
6822 ip6h->s_ip6_src[2] = f->
dst.addr_data32[2];
6823 ip6h->s_ip6_src[3] = f->
dst.addr_data32[3];
6824 ip6h->s_ip6_dst[0] = f->
src.addr_data32[0];
6825 ip6h->s_ip6_dst[1] = f->
src.addr_data32[1];
6826 ip6h->s_ip6_dst[2] = f->
src.addr_data32[2];
6827 ip6h->s_ip6_dst[3] = f->
src.addr_data32[3];
6859 np->
ts = parent->
ts;
6867 FlowDeReference(&np->
flow);
6886 StreamTcpPseudoPacketCreateDetectLogFlush(
tv, stt, p, ssn, pq,
ts^0);
6887 StreamTcpPseudoPacketCreateDetectLogFlush(
tv, stt, p, ssn, pq,
ts^1);
6907 if (p->
flow == NULL)
6935 const uint8_t *seg_data;
6936 uint32_t seg_datalen;
6939 int ret = CallbackFunc(p, seg, data, seg_data, seg_datalen);
6967 if (p->
flow == NULL)
6981 if (server_node == NULL && client_node == NULL) {
6985 while (server_node != NULL || client_node != NULL) {
6986 const uint8_t *seg_data;
6987 uint32_t seg_datalen;
6988 if (server_node == NULL) {
6995 &client_stream->
sb, &client_node->
sbseg, &seg_data, &seg_datalen);
6996 ret = CallbackFunc(p, client_node, data, seg_data, seg_datalen);
7001 client_node = TCPSEG_RB_NEXT(client_node);
7002 }
else if (client_node == NULL) {
7009 &server_stream->
sb, &server_node->
sbseg, &seg_data, &seg_datalen);
7010 ret = CallbackFunc(p, server_node, data, seg_data, seg_datalen);
7015 server_node = TCPSEG_RB_NEXT(server_node);
7020 &client_stream->
sb, &client_node->
sbseg, &seg_data, &seg_datalen);
7021 ret = CallbackFunc(p, client_node, data, seg_data, seg_datalen);
7026 client_node = TCPSEG_RB_NEXT(client_node);
7029 &server_stream->
sb, &server_node->
sbseg, &seg_data, &seg_datalen);
7030 ret = CallbackFunc(p, server_node, data, seg_data, seg_datalen);
7035 server_node = TCPSEG_RB_NEXT(server_node);
7070 const char *tcp_state = NULL;
7076 tcp_state =
"syn_sent";
7079 tcp_state =
"syn_recv";
7082 tcp_state =
"established";
7085 tcp_state =
"fin_wait1";
7088 tcp_state =
"fin_wait2";
7091 tcp_state =
"time_wait";
7094 tcp_state =
"last_ack";
7097 tcp_state =
"close_wait";
7100 tcp_state =
"closing";
7103 tcp_state =
"closed";