Flow data structure. More...
#include <flow.h>
Public Member Functions | |
| SC_ATOMIC_DECLARE (FlowStateType, flow_state) | |
| SC_ATOMIC_DECLARE (FlowRefCount, use_cnt) | |
Detailed Description
Flow data structure.
The flow is a global data structure that is created for new packets of a flow and then looked up for the following packets of a flow.
Locking
The flow is updated/used by multiple packets at the same time. This is why there is a flow-mutex. It's a mutex and not a spinlock because some operations on the flow can be quite expensive, thus spinning would be too expensive.
The flow "header" (addresses, ports, proto, recursion level) are static after the initialization and remain read-only throughout the entire live of a flow. This is why we can access those without protection of the lock.
Member Function Documentation
◆ SC_ATOMIC_DECLARE() [1/2]
| Flow_::SC_ATOMIC_DECLARE | ( | FlowRefCount | , |
| use_cnt | |||
| ) |
how many pkts and stream msgs are using the flow right now. This variable is atomic so not protected by the Flow mutex "m".
On receiving a packet the counter is incremented while the flow bucked is locked, which is also the case on timeout pruning.
◆ SC_ATOMIC_DECLARE() [2/2]
| Flow_::SC_ATOMIC_DECLARE | ( | FlowStateType | , |
| flow_state | |||
| ) |
Field Documentation
◆ @120
| union { ... } |
◆ @122
| union { ... } |
◆ alparser
| AppLayerParserState* Flow_::alparser |
application level storage ptrs. parser internal state
Definition at line 453 of file flow.h.
Referenced by AppLayerDecoderEventsSetEvent(), AppLayerParserParse(), AppLayerProtoDetectReset(), DeStateUpdateInspectTransactionId(), FlowCleanupAppLayer(), FlowForceReassemblyNeedReassembly(), and LLVMFuzzerTestOneInput().
◆ alproto
| AppProto Flow_::alproto |
application level protocol
Definition at line 425 of file flow.h.
Referenced by AppLayerHandleTCPData(), AppLayerHandleUdp(), AppLayerIncTxCounter(), AppLayerParserSetTransactionInspectId(), AppLayerProtoDetectReset(), DetectEngineInspectBufferGeneric(), DetectRunStoreStateTx(), EveAddAppProto(), FlowForceReassemblyNeedReassembly(), FlowGetAppProtocol(), JsonBuildFileInfoRecord(), and LLVMFuzzerTestOneInput().
◆ alproto_expect
| AppProto Flow_::alproto_expect |
expected app protocol: used in protocol change/upgrade like in STARTTLS.
Definition at line 434 of file flow.h.
Referenced by AppLayerRequestProtocolChange(), and EveAddAppProto().
◆ alproto_orig
| AppProto Flow_::alproto_orig |
original application level protocol. Used to indicate the previous protocol when changing to another protocol , e.g. with STARTTLS.
Definition at line 431 of file flow.h.
Referenced by EveAddAppProto().
◆ alproto_tc
| AppProto Flow_::alproto_tc |
Definition at line 427 of file flow.h.
Referenced by AppLayerHandleTCPData(), AppLayerProtoDetectReset(), and EveAddAppProto().
◆ alproto_ts
| AppProto Flow_::alproto_ts |
Definition at line 426 of file flow.h.
Referenced by AppLayerHandleTCPData(), AppLayerProtoDetectReset(), and EveAddAppProto().
◆ alstate
| void* Flow_::alstate |
application layer state
Definition at line 454 of file flow.h.
Referenced by AppLayerProtoDetectReset(), DeStateUpdateInspectTransactionId(), DetectFileInspectGeneric(), EveFTPDataAddMetadata(), FlowCleanupAppLayer(), FlowForceReassemblyNeedReassembly(), FlowGetAppState(), and SMTPProcessDataChunk().
◆ code
◆ de_ctx_version
| uint32_t Flow_::de_ctx_version |
◆ dp
| Port Flow_::dp |
tcp/udp destination port
Definition at line 355 of file flow.h.
Referenced by FlowGetFromFlowKey(), FlowInit(), and LLVMFuzzerTestOneInput().
◆ dst
| FlowAddress Flow_::dst |
Definition at line 346 of file flow.h.
Referenced by FlowGetFromFlowKey(), FlowInit(), and LLVMFuzzerTestOneInput().
◆ fb
| struct FlowBucket_* Flow_::fb |
Definition at line 469 of file flow.h.
Referenced by FlowGetFromFlowKey(), and FlowUpdateState().
◆ file_flags
| uint16_t Flow_::file_flags |
file tracking/extraction flags
Definition at line 398 of file flow.h.
Referenced by FileFlowToFlags().
◆ flags
| uint32_t Flow_::flags |
generic flags
Definition at line 396 of file flow.h.
Referenced by FlowChangeProto(), FlowClearMemory(), FlowGetFromFlowKey(), FlowGetPacketDirection(), FlowHandlePacketUpdate(), FlowHasAlerts(), FlowInit(), FlowSetChangeProtoFlag(), FlowSetHasAlertsFlag(), FlowSetIPOnlyFlag(), FlowSwap(), FlowUnsetChangeProtoFlag(), and LLVMFuzzerTestOneInput().
◆ flow_end_flags
◆ flow_hash
| uint32_t Flow_::flow_hash |
flow hash - the flow hash before hash table size mod.
Definition at line 370 of file flow.h.
Referenced by FlowGetFromFlowKey().
◆ flowvar
| GenericVar* Flow_::flowvar |
Definition at line 464 of file flow.h.
Referenced by FlowVarAddIdValue(), FlowVarAddIntNoLock(), FlowVarAddKeyValue(), FlowVarGet(), and FlowVarGetByKey().
◆ hnext
| struct Flow_* Flow_::hnext |
hash list pointers, protected by fb->s
Definition at line 467 of file flow.h.
Referenced by FlowGetFromFlowKey().
◆ hprev
| struct Flow_* Flow_::hprev |
Definition at line 468 of file flow.h.
Referenced by FlowGetFromFlowKey().
◆ icmp_d
| struct { ... } Flow_::icmp_d |
◆ icmp_s
| struct { ... } Flow_::icmp_s |
Referenced by FlowInit().
◆ lastts
| struct timeval Flow_::lastts |
Definition at line 370 of file flow.h.
Referenced by AppLayerExpectationCreate(), FlowGetFromFlowKey(), FlowGetLastTimeAsParts(), and FlowHandlePacketUpdate().
◆ livedev
| struct LiveDevice_* Flow_::livedev |
◆ lnext
| struct Flow_* Flow_::lnext |
queue list pointers, protected by queue mutex
Definition at line 472 of file flow.h.
Referenced by FlowDequeue(), FlowEnqueue(), and FlowMoveToSpare().
◆ lprev
| struct Flow_* Flow_::lprev |
Definition at line 473 of file flow.h.
Referenced by FlowDequeue(), FlowEnqueue(), and FlowMoveToSpare().
◆ m
◆ max_ttl_toclient
◆ max_ttl_toserver
| uint8_t Flow_::max_ttl_toserver |
Definition at line 446 of file flow.h.
Referenced by FlowInit().
◆ min_ttl_toclient
◆ min_ttl_toserver
| uint8_t Flow_::min_ttl_toserver |
◆ parent_id
◆ probing_parser_toclient_alproto_masks
| uint32_t Flow_::probing_parser_toclient_alproto_masks |
Definition at line 394 of file flow.h.
Referenced by AppLayerProtoDetectReset(), and FlowSwap().
◆ probing_parser_toserver_alproto_masks
| uint32_t Flow_::probing_parser_toserver_alproto_masks |
Definition at line 393 of file flow.h.
Referenced by AppLayerProtoDetectReset(), and FlowSwap().
◆ proto
| uint8_t Flow_::proto |
Definition at line 361 of file flow.h.
Referenced by AppLayerParserParse(), AppLayerParserSetTransactionInspectId(), DetectEngineInspectBufferGeneric(), DetectRunStoreStateTx(), EveNFSAddMetadata(), EveNFSAddMetadataRPC(), EveSMBAddMetadata(), FlowCleanupAppLayer(), FlowGetDisruptionFlags(), FlowGetFromFlowKey(), FlowInit(), HttpXFFGetIPFromTx(), JsonRFBAddMetadata(), JsonSIPAddMetadata(), LLVMFuzzerTestOneInput(), StreamTcpAppLayerIsDisabled(), UTHAddStreamToFlow(), and UTHRemoveSessionFromFlow().
◆ protoctx
| void* Flow_::protoctx |
protocol specific data pointer, e.g. for TcpSession
Definition at line 416 of file flow.h.
Referenced by AppLayerParserTriggerRawStreamReassembly(), DetectEngineInspectStreamPayload(), FlowClearMemory(), FlowForceReassemblyForFlow(), FlowForceReassemblyNeedReassembly(), FlowGetDisruptionFlags(), LLVMFuzzerTestOneInput(), SMTPProcessDataChunk(), StreamTcpAppLayerIsDisabled(), StreamTcpDetectLogFlush(), StreamTcpDisableAppLayer(), StreamTcpPruneSession(), StreamTcpReassembleDepthReached(), StreamTcpSessionPktFree(), UTHAddSessionToFlow(), UTHAddStreamToFlow(), and UTHRemoveSessionFromFlow().
◆ protodetect_dp
| uint16_t Flow_::protodetect_dp |
destination port to be used in protocol detection. This is meant for use with STARTTLS and HTTP CONNECT detection 0 if not used
Definition at line 402 of file flow.h.
Referenced by AppLayerRequestProtocolChange().
◆ protomap
| uint8_t Flow_::protomap |
mapping to Flow's protocol specific protocols for timeouts and state and free functions.
Definition at line 420 of file flow.h.
Referenced by AppLayerIncTxCounter(), AppLayerParserParse(), FlowGetFromFlowKey(), and LLVMFuzzerTestOneInput().
◆ recursion_level
| uint8_t Flow_::recursion_level |
Definition at line 362 of file flow.h.
Referenced by FlowGetFromFlowKey(), and FlowInit().
◆ sgh_toclient
| const struct SigGroupHead_* Flow_::sgh_toclient |
◆ sgh_toserver
| const struct SigGroupHead_* Flow_::sgh_toserver |
◆ sp
| Port Flow_::sp |
tcp/udp source port
Definition at line 348 of file flow.h.
Referenced by FlowGetFromFlowKey(), FlowGetPacketDirection(), FlowInit(), and LLVMFuzzerTestOneInput().
◆ src
| FlowAddress Flow_::src |
Definition at line 346 of file flow.h.
Referenced by FlowGetFromFlowKey(), FlowGetPacketDirection(), FlowInit(), and LLVMFuzzerTestOneInput().
◆ startts
| struct timeval Flow_::startts |
Definition at line 473 of file flow.h.
Referenced by EveAddFlow(), and FlowGetFromFlowKey().
◆ tenant_id
| uint32_t Flow_::tenant_id |
◆ thread_id
| FlowThreadId Flow_::thread_id[2] |
◆ todstbytecnt
| uint64_t Flow_::todstbytecnt |
Definition at line 478 of file flow.h.
Referenced by EveAddFlow(), and FlowHandlePacketUpdate().
◆ todstpktcnt
| uint32_t Flow_::todstpktcnt |
Definition at line 476 of file flow.h.
Referenced by EveAddFlow(), and FlowHandlePacketUpdate().
◆ tosrcbytecnt
| uint64_t Flow_::tosrcbytecnt |
Definition at line 479 of file flow.h.
Referenced by EveAddFlow().
◆ tosrcpktcnt
| uint32_t Flow_::tosrcpktcnt |
Definition at line 477 of file flow.h.
Referenced by EveAddFlow().
◆ type
◆ vlan_id
| uint16_t Flow_::vlan_id[2] |
Definition at line 363 of file flow.h.
Referenced by FlowGetFromFlowKey(), and FlowInit().
◆ vlan_idx
| uint8_t Flow_::vlan_idx |
Definition at line 364 of file flow.h.
Referenced by FlowInit().
The documentation for this struct was generated from the following file:
- src/flow.h
