suricata
Data Fields
Flow_ Struct Reference

Flow data structure. More...

#include <flow.h>

Collaboration diagram for Flow_:
Collaboration graph
[legend]

Data Fields

FlowAddress src
 
FlowAddress dst
 
union {
   Port   sp
 
   struct {
      uint8_t   type
 
      uint8_t   code
 
   }   icmp_s
 
   struct {
      uint32_t   spi
 
   }   esp
 
}; 
 
union {
   Port   dp
 
   struct {
      uint8_t   type
 
      uint8_t   code
 
   }   icmp_d
 
}; 
 
uint8_t proto
 
uint8_t recursion_level
 
uint16_t vlan_id [VLAN_MAX_LAYERS]
 
uint8_t vlan_idx
 
union {
   struct {
      uint8_t   ffr_ts:4
 
      uint8_t   ffr_tc:4
 
   } 
 
   uint8_t   ffr
 
}; 
 
FlowThreadId thread_id [2]
 
uint32_t flow_hash
 
struct LiveDevice_livedev
 
struct Flow_next
 
uint64_t flags
 
uint16_t file_flags
 
uint16_t protodetect_dp
 
uint32_t timeout_policy
 
SCTime_t lastts
 
FlowStateType flow_state
 
uint32_t tenant_id
 
uint32_t probing_parser_toserver_alproto_masks
 
uint32_t probing_parser_toclient_alproto_masks
 
int64_t parent_id
 
void * protoctx
 
SCMutex m
 
uint8_t protomap
 
uint8_t flow_end_flags
 
AppProto alproto
 application level protocol More...
 
AppProto alproto_ts
 
AppProto alproto_tc
 
AppProto alproto_orig
 
AppProto alproto_expect
 
uint32_t de_ctx_version
 
uint8_t min_ttl_toserver
 
uint8_t max_ttl_toserver
 
uint8_t min_ttl_toclient
 
uint8_t max_ttl_toclient
 
uint8_t applied_exception_policy
 
AppLayerParserStatealparser
 
void * alstate
 
const struct SigGroupHead_sgh_toclient
 
const struct SigGroupHead_sgh_toserver
 
GenericVarflowvar
 
struct FlowBucket_fb
 
SCTime_t startts
 
uint32_t todstpktcnt
 
uint32_t tosrcpktcnt
 
uint64_t todstbytecnt
 
uint64_t tosrcbytecnt
 
Storage storage []
 

Detailed Description

Flow data structure.

The flow is a global data structure that is created for new packets of a flow and then looked up for the following packets of a flow.

Locking

The flow is updated/used by multiple packets at the same time. This is why there is a flow-mutex. It's a mutex and not a spinlock because some operations on the flow can be quite expensive, thus spinning would be too expensive.

The flow "header" (addresses, ports, proto, recursion level) are static after the initialization and remain read-only throughout the entire live of a flow. This is why we can access those without protection of the lock.

Definition at line 346 of file flow.h.

Field Documentation

◆ @122

union { ... }

◆ @124

union { ... }

◆ @126

union { ... }

◆ alparser

AppLayerParserState* Flow_::alparser

application level storage ptrs. parser internal state

Definition at line 471 of file flow.h.

Referenced by AppLayerFrameDump(), AppLayerFramesFreeContainer(), AppLayerFramesGetContainer(), AppLayerFramesSetupContainer(), AppLayerParserParse(), AppLayerProtoDetectReset(), FlowCleanupAppLayer(), FlowNeedsReassembly(), HttpXFFGetIP(), LLVMFuzzerTestOneInput(), Prefilter(), and StreamTcpDisableAppLayer().

◆ alproto

AppProto Flow_::alproto

application level protocol

Definition at line 443 of file flow.h.

Referenced by AppLayerFramesSetupContainer(), AppLayerHandleTCPData(), AppLayerHandleUdp(), AppLayerIncAllocErrorCounter(), AppLayerIncGapErrorCounter(), AppLayerIncInternalErrorCounter(), AppLayerIncParserErrorCounter(), AppLayerIncTxCounter(), AppLayerParserSetTransactionInspectId(), AppLayerParserStateCleanup(), AppLayerProtoDetectReset(), AppLayerRequestProtocolChange(), DetectEngineInspectBufferGeneric(), DetectEngineInspectBufferSingle(), DetectEngineInspectFiledata(), DetectEngineInspectMultiBufferGeneric(), DetectRunFrameInspectRule(), DetectRunStoreStateTx(), EveAddAppProto(), FlowNeedsReassembly(), FrameJsonLogOneFrame(), LLVMFuzzerTestOneInput(), LuaExtensionsMatchSetup(), LuaStateNeedProto(), Prefilter(), RulesDumpMatchArray(), RulesDumpTxMatchArray(), and SCAppLayerForceProtocolChange().

◆ alproto_expect

AppProto Flow_::alproto_expect

expected app protocol: used in protocol change/upgrade like in STARTTLS.

Definition at line 452 of file flow.h.

Referenced by AppLayerRequestProtocolChange(), and EveAddAppProto().

◆ alproto_orig

AppProto Flow_::alproto_orig

original application level protocol. Used to indicate the previous protocol when changing to another protocol , e.g. with STARTTLS.

Definition at line 449 of file flow.h.

Referenced by AppLayerRequestProtocolChange(), EveAddAppProto(), and SCAppLayerForceProtocolChange().

◆ alproto_tc

AppProto Flow_::alproto_tc

Definition at line 445 of file flow.h.

Referenced by AppLayerHandleTCPData(), AppLayerHandleUdp(), AppLayerProtoDetectReset(), AppLayerRequestProtocolChange(), EveAddAppProto(), and SCAppLayerForceProtocolChange().

◆ alproto_ts

AppProto Flow_::alproto_ts

Definition at line 444 of file flow.h.

Referenced by AppLayerHandleTCPData(), AppLayerHandleUdp(), AppLayerProtoDetectReset(), AppLayerRequestProtocolChange(), EveAddAppProto(), and SCAppLayerForceProtocolChange().

◆ alstate

void* Flow_::alstate

application layer state

Definition at line 472 of file flow.h.

Referenced by DetectFileInspectGeneric(), FlowCleanupAppLayer(), FlowNeedsReassembly(), and LuaExtensionsMatchSetup().

◆ applied_exception_policy

uint8_t Flow_::applied_exception_policy

which exception policies were applied, if any

Definition at line 466 of file flow.h.

Referenced by ExceptionPolicyParse().

◆ code

uint8_t Flow_::code

icmp code

Definition at line 355 of file flow.h.

◆ de_ctx_version

uint32_t Flow_::de_ctx_version

detection engine ctx version used to inspect this flow. Set at initial inspection. If it doesn't match the currently in use de_ctx, the stored sgh ptrs are reset.

Definition at line 457 of file flow.h.

◆ dp

Port Flow_::dp

tcp/udp destination port

Definition at line 363 of file flow.h.

Referenced by LLVMFuzzerTestOneInput(), and SCFlowGetDestinationPort().

◆ dst

FlowAddress Flow_::dst

Definition at line 350 of file flow.h.

Referenced by LLVMFuzzerTestOneInput().

◆ esp

struct { ... } Flow_::esp

◆ fb

struct FlowBucket_* Flow_::fb

Definition at line 484 of file flow.h.

Referenced by FlowBitFree(), FlowBitIsnotset(), FlowBitIsset(), and FlowBitToggle().

◆ ffr

uint8_t Flow_::ffr

Definition at line 381 of file flow.h.

◆ ffr_tc

uint8_t Flow_::ffr_tc

Definition at line 379 of file flow.h.

Referenced by FlowNeedsReassembly().

◆ ffr_ts

uint8_t Flow_::ffr_ts

Definition at line 378 of file flow.h.

Referenced by FlowNeedsReassembly().

◆ file_flags

uint16_t Flow_::file_flags

file tracking/extraction flags

Definition at line 398 of file flow.h.

Referenced by FileFlowToFlags().

◆ flags

uint64_t Flow_::flags

generic flags

Definition at line 396 of file flow.h.

Referenced by FlowChangeProto(), FlowClearMemory(), FlowGetPacketDirection(), FlowHasAlerts(), FlowSendToLocalThread(), FlowSetChangeProtoFlag(), FlowSetHasAlertsFlag(), FlowSwap(), FlowUnsetChangeProtoFlag(), LLVMFuzzerTestOneInput(), and SCFlowGetFlags().

◆ flow_end_flags

uint8_t Flow_::flow_end_flags

Definition at line 440 of file flow.h.

◆ flow_hash

uint32_t Flow_::flow_hash

flow hash - the flow hash before hash table size mod. Used for calculating the flow_id.

Definition at line 389 of file flow.h.

◆ flow_state

FlowStateType Flow_::flow_state

Definition at line 413 of file flow.h.

Referenced by FlowHandlePacketUpdate(), FlowUpdateState(), and PacketBypassCallback().

◆ flowvar

GenericVar* Flow_::flowvar

Definition at line 482 of file flow.h.

Referenced by EveAddMetadata(), FlowVarAddFloat(), FlowVarAddIdValue(), FlowVarAddIntNoLock(), FlowVarAddKeyValue(), FlowVarGet(), and FlowVarGetByKey().

◆ icmp_d

struct { ... } Flow_::icmp_d

◆ icmp_s

struct { ... } Flow_::icmp_s

◆ lastts

SCTime_t Flow_::lastts

time stamp of last update (last packet). Set/updated under the flow and flow hash row locks, safe to read under either the flow lock or flow hash row lock.

Definition at line 411 of file flow.h.

Referenced by AppLayerExpectationCreate(), FlowHandlePacketUpdate(), and SCFlowGetLastTimeAsParts().

◆ livedev

struct LiveDevice_* Flow_::livedev

Incoming interface

Definition at line 392 of file flow.h.

Referenced by FlowInit().

◆ m

SCMutex Flow_::m

Definition at line 431 of file flow.h.

◆ max_ttl_toclient

uint8_t Flow_::max_ttl_toclient

Definition at line 463 of file flow.h.

◆ max_ttl_toserver

uint8_t Flow_::max_ttl_toserver

Definition at line 461 of file flow.h.

◆ min_ttl_toclient

uint8_t Flow_::min_ttl_toclient

Definition at line 462 of file flow.h.

◆ min_ttl_toserver

uint8_t Flow_::min_ttl_toserver

ttl tracking

Definition at line 460 of file flow.h.

◆ next

struct Flow_* Flow_::next

Definition at line 394 of file flow.h.

Referenced by FlowGetExistingFlowFromFlowId(), FlowQueuePrivateAppendFlow(), FlowQueuePrivateAppendPrivate(), FlowQueuePrivateGetFromTop(), FlowQueuePrivatePrependFlow(), FlowReset(), and FlowShutdown().

◆ parent_id

int64_t Flow_::parent_id

Definition at line 423 of file flow.h.

◆ probing_parser_toclient_alproto_masks

uint32_t Flow_::probing_parser_toclient_alproto_masks

Definition at line 420 of file flow.h.

Referenced by AppLayerProtoDetectReset(), and FlowSwap().

◆ probing_parser_toserver_alproto_masks

uint32_t Flow_::probing_parser_toserver_alproto_masks

Definition at line 419 of file flow.h.

Referenced by AppLayerProtoDetectReset(), and FlowSwap().

◆ proto

uint8_t Flow_::proto

ip proto of the flow

Definition at line 369 of file flow.h.

Referenced by AppLayerFrameDump(), AppLayerFramesSetupContainer(), AppLayerParserParse(), AppLayerParserSetTransactionInspectId(), DetectEngineInspectBufferGeneric(), DetectEngineInspectBufferSingle(), DetectEngineInspectFiledata(), DetectEngineInspectMultiBufferGeneric(), DetectRunFrameInspectRule(), DetectRunStoreStateTx(), FlowCleanupAppLayer(), FlowGetDisruptionFlags(), FlowInit(), FlowReset(), FlowShutdown(), FrameJsonLogOneFrame(), FramesPrune(), LLVMFuzzerTestOneInput(), LuaExtensionsMatchSetup(), StreamTcpAppLayerIsDisabled(), UTHAddStreamToFlow(), and UTHRemoveSessionFromFlow().

◆ protoctx

void* Flow_::protoctx

protocol specific data pointer, e.g. for TcpSession

Definition at line 426 of file flow.h.

Referenced by AppLayerFrameDump(), AppLayerFramesSetupContainer(), AppLayerFramesSlide(), DetectEngineInspectStreamPayload(), FlowClearMemory(), FlowGetDisruptionFlags(), FlowNeedsReassembly(), FramesPrune(), LLVMFuzzerTestOneInput(), SCAppLayerParserTriggerRawStreamInspection(), StreamTcpAppLayerIsDisabled(), StreamTcpDetectLogFlush(), StreamTcpDisableAppLayer(), StreamTcpPacket(), StreamTcpPruneSession(), StreamTcpReassembleDepthReached(), StreamTcpSegmentForEach(), StreamTcpSegmentForSession(), StreamTcpSessionPktFree(), UTHAddSessionToFlow(), UTHAddStreamToFlow(), and UTHRemoveSessionFromFlow().

◆ protodetect_dp

uint16_t Flow_::protodetect_dp

destination port to be used in protocol detection. This is meant for use with STARTTLS and HTTP CONNECT detection 0 if not used

Definition at line 402 of file flow.h.

Referenced by AppLayerRequestProtocolChange().

◆ protomap

uint8_t Flow_::protomap

mapping to Flow's protocol specific protocols for timeouts and state and free functions.

Definition at line 438 of file flow.h.

Referenced by AppLayerIncAllocErrorCounter(), AppLayerIncGapErrorCounter(), AppLayerIncInternalErrorCounter(), AppLayerIncParserErrorCounter(), AppLayerIncTxCounter(), AppLayerParserParse(), AppLayerParserStateCleanup(), FlowHandlePacketUpdate(), and LLVMFuzzerTestOneInput().

◆ recursion_level

uint8_t Flow_::recursion_level

Definition at line 370 of file flow.h.

Referenced by FlowInit().

◆ sgh_toclient

const struct SigGroupHead_* Flow_::sgh_toclient

toclient sgh for this flow. Only use when FLOW_SGH_TOCLIENT flow flag has been set.

Definition at line 476 of file flow.h.

◆ sgh_toserver

const struct SigGroupHead_* Flow_::sgh_toserver

toserver sgh for this flow. Only use when FLOW_SGH_TOSERVER flow flag has been set.

Definition at line 479 of file flow.h.

◆ sp

Port Flow_::sp

tcp/udp source port

Definition at line 352 of file flow.h.

Referenced by FlowGetPacketDirection(), LLVMFuzzerTestOneInput(), and SCFlowGetSourcePort().

◆ spi

uint32_t Flow_::spi

esp spi

Definition at line 359 of file flow.h.

◆ src

FlowAddress Flow_::src

Definition at line 350 of file flow.h.

Referenced by FlowGetPacketDirection(), and LLVMFuzzerTestOneInput().

◆ startts

SCTime_t Flow_::startts

Definition at line 486 of file flow.h.

Referenced by EveAddFlow().

◆ storage

Storage Flow_::storage[]

Definition at line 493 of file flow.h.

Referenced by FlowAllocStorageById(), FlowFreeStorage(), FlowFreeStorageById(), FlowGetStorageById(), and FlowSetStorageById().

◆ tenant_id

uint32_t Flow_::tenant_id

flow tenant id, used to setup flow timeout and stream pseudo packets with the correct tenant id set

Definition at line 417 of file flow.h.

◆ thread_id

FlowThreadId Flow_::thread_id[2]

Thread ID for the stream/detect portion of this flow

Definition at line 385 of file flow.h.

Referenced by FlowInit(), and FlowSendToLocalThread().

◆ timeout_policy

uint32_t Flow_::timeout_policy

timeout in seconds by policy, add to Flow::lastts to get actual time this times out. Ignored in emergency mode.

Definition at line 406 of file flow.h.

◆ todstbytecnt

uint64_t Flow_::todstbytecnt

Definition at line 490 of file flow.h.

Referenced by EveAddFlow(), and FlowHandlePacketUpdate().

◆ todstpktcnt

uint32_t Flow_::todstpktcnt

Definition at line 488 of file flow.h.

Referenced by EveAddFlow(), and FlowHandlePacketUpdate().

◆ tosrcbytecnt

uint64_t Flow_::tosrcbytecnt

Definition at line 491 of file flow.h.

Referenced by EveAddFlow().

◆ tosrcpktcnt

uint32_t Flow_::tosrcpktcnt

Definition at line 489 of file flow.h.

Referenced by EveAddFlow().

◆ type

uint8_t Flow_::type

icmp type

Definition at line 354 of file flow.h.

◆ vlan_id

uint16_t Flow_::vlan_id[VLAN_MAX_LAYERS]

Definition at line 371 of file flow.h.

Referenced by FlowInit().

◆ vlan_idx

uint8_t Flow_::vlan_idx

Definition at line 373 of file flow.h.

Referenced by FlowInit().

The documentation for this struct was generated from the following file: