Flow data structure. More...

#include <flow.h>

Collaboration diagram for Flow_:

[legend]

Data Fields
FlowAddress	src

FlowAddress	dst

union {
Port sp

struct {
uint8_t type

uint8_t code

} icmp_s

struct {
uint32_t spi

} esp

};

union {
Port dp

struct {
uint8_t type

uint8_t code

} icmp_d

};

uint8_t	proto

uint8_t	recursion_level

uint16_t	vlan_id [2]

FlowRefCount	use_cnt

uint8_t	vlan_idx

union {
struct {
uint8_t ffr_ts:4

uint8_t ffr_tc:4

}

uint8_t ffr

};

uint32_t	timeout_at

FlowThreadId	thread_id [2]

struct Flow_ *	next

struct LiveDevice_ *	livedev

uint32_t	flow_hash

struct timeval	lastts

uint32_t	timeout_policy

FlowStateType	flow_state

uint32_t	tenant_id

uint32_t	probing_parser_toserver_alproto_masks

uint32_t	probing_parser_toclient_alproto_masks

uint32_t	flags

uint16_t	file_flags

uint16_t	protodetect_dp

int64_t	parent_id

SCMutex	m

void *	protoctx

uint8_t	protomap

uint8_t	flow_end_flags

AppProto	alproto
	application level protocol More...

AppProto	alproto_ts

AppProto	alproto_tc

AppProto	alproto_orig

AppProto	alproto_expect

uint32_t	de_ctx_version

uint8_t	min_ttl_toserver

uint8_t	max_ttl_toserver

uint8_t	min_ttl_toclient

uint8_t	max_ttl_toclient

AppLayerParserState *	alparser

void *	alstate

const struct SigGroupHead_ *	sgh_toclient

const struct SigGroupHead_ *	sgh_toserver

GenericVar *	flowvar

struct FlowBucket_ *	fb

struct timeval	startts

uint32_t	todstpktcnt

uint32_t	tosrcpktcnt

uint64_t	todstbytecnt

uint64_t	tosrcbytecnt

Detailed Description

Flow data structure.

The flow is a global data structure that is created for new packets of a flow and then looked up for the following packets of a flow.

Locking

The flow is updated/used by multiple packets at the same time. This is why there is a flow-mutex. It's a mutex and not a spinlock because some operations on the flow can be quite expensive, thus spinning would be too expensive.

The flow "header" (addresses, ports, proto, recursion level) are static after the initialization and remain read-only throughout the entire live of a flow. This is why we can access those without protection of the lock.

Definition at line 355 of file flow.h.

Field Documentation

◆ @118

union { ... }

◆ @120

union { ... }

◆ @122

union { ... }

◆ alparser

AppLayerParserState* Flow_::alparser

application level storage ptrs. parser internal state

Definition at line 488 of file flow.h.

Referenced by AppLayerFrameDump(), AppLayerFrameNewByAbsoluteOffset(), AppLayerFrameNewByPointer(), AppLayerFrameNewByRelativeOffset(), AppLayerFramesFreeContainer(), AppLayerFramesGetContainer(), AppLayerFramesSetupContainer(), AppLayerParserParse(), AppLayerProtoDetectReset(), FlowCleanupAppLayer(), FlowForceReassemblyNeedReassembly(), LLVMFuzzerTestOneInput(), Prefilter(), and StreamTcpDisableAppLayer().

◆ alproto

◆ alproto_expect

AppProto Flow_::alproto_expect

expected app protocol: used in protocol change/upgrade like in STARTTLS.

Definition at line 472 of file flow.h.

Referenced by AppLayerRequestProtocolChange(), and EveAddAppProto().

◆ alproto_orig

AppProto Flow_::alproto_orig

original application level protocol. Used to indicate the previous protocol when changing to another protocol , e.g. with STARTTLS.

Definition at line 469 of file flow.h.

Referenced by AppLayerRequestProtocolChange(), and EveAddAppProto().

◆ alproto_tc

AppProto Flow_::alproto_tc

Definition at line 465 of file flow.h.

Referenced by AppLayerHandleTCPData(), AppLayerHandleUdp(), AppLayerProtoDetectReset(), AppLayerRequestProtocolChange(), and EveAddAppProto().

◆ alproto_ts

AppProto Flow_::alproto_ts

Definition at line 464 of file flow.h.

Referenced by AppLayerHandleTCPData(), AppLayerHandleUdp(), AppLayerProtoDetectReset(), AppLayerRequestProtocolChange(), and EveAddAppProto().

◆ alstate

void* Flow_::alstate

application layer state

Definition at line 489 of file flow.h.

Referenced by DetectFileInspectGeneric(), EveFTPDataAddMetadata(), FlowCleanupAppLayer(), FlowForceReassemblyNeedReassembly(), FlowGetAppState(), and SMTPProcessDataChunk().

◆ code

uint8_t Flow_::code

icmp code

Definition at line 364 of file flow.h.

◆ de_ctx_version

uint32_t Flow_::de_ctx_version

detection engine ctx version used to inspect this flow. Set at initial inspection. If it doesn't match the currently in use de_ctx, the stored sgh ptrs are reset.

Definition at line 477 of file flow.h.

◆ dp

Port Flow_::dp

tcp/udp destination port

Definition at line 372 of file flow.h.

Referenced by FlowGetDestinationPort(), FlowGetFromFlowKey(), FlowInit(), and LLVMFuzzerTestOneInput().

◆ dst

FlowAddress Flow_::dst

Definition at line 359 of file flow.h.

Referenced by FlowGetFromFlowKey(), FlowInit(), and LLVMFuzzerTestOneInput().

◆ esp

struct { ... } Flow_::esp

◆ fb

struct FlowBucket_* Flow_::fb

Definition at line 501 of file flow.h.

Referenced by FlowGetFromFlowKey().

◆ ffr

uint8_t Flow_::ffr

Definition at line 396 of file flow.h.

◆ ffr_tc

uint8_t Flow_::ffr_tc

Definition at line 394 of file flow.h.

Referenced by FlowForceReassemblyNeedReassembly().

◆ ffr_ts

uint8_t Flow_::ffr_ts

Definition at line 393 of file flow.h.

Referenced by FlowForceReassemblyNeedReassembly().

◆ file_flags

uint16_t Flow_::file_flags

file tracking/extraction flags

Definition at line 436 of file flow.h.

Referenced by FileFlowToFlags().

◆ flags

uint32_t Flow_::flags

generic flags

Definition at line 434 of file flow.h.

Referenced by ExceptionPolicyParse(), FlowChangeProto(), FlowClearMemory(), FlowGetFlags(), FlowGetFromFlowKey(), FlowGetPacketDirection(), FlowHandlePacketUpdate(), FlowHasAlerts(), FlowInit(), FlowSetChangeProtoFlag(), FlowSetHasAlertsFlag(), FlowSetIPOnlyFlag(), FlowSwap(), FlowUnsetChangeProtoFlag(), LLVMFuzzerTestOneInput(), and StreamTcpReassembleHandleSegment().

◆ flow_end_flags

uint8_t Flow_::flow_end_flags

Definition at line 460 of file flow.h.

◆ flow_hash

uint32_t Flow_::flow_hash

flow hash - the flow hash before hash table size mod.

Definition at line 412 of file flow.h.

Referenced by FlowGetFromFlowKey().

◆ flow_state

FlowStateType Flow_::flow_state

Definition at line 425 of file flow.h.

Referenced by FlowHandlePacketUpdate(), FlowUpdateState(), and PacketBypassCallback().

◆ flowvar

GenericVar* Flow_::flowvar

Definition at line 499 of file flow.h.

Referenced by EveAddMetadata(), FlowVarAddIdValue(), FlowVarAddIntNoLock(), FlowVarAddKeyValue(), FlowVarGet(), and FlowVarGetByKey().

◆ icmp_d

struct { ... } Flow_::icmp_d

◆ icmp_s

struct { ... } Flow_::icmp_s

Referenced by FlowInit().

◆ lastts

struct timeval Flow_::lastts

Definition at line 412 of file flow.h.

Referenced by AppLayerExpectationCreate(), FlowGetFromFlowKey(), FlowGetLastTimeAsParts(), and FlowHandlePacketUpdate().

◆ livedev

struct LiveDevice_* Flow_::livedev

Incoming interface

Definition at line 409 of file flow.h.

Referenced by FlowInit().

◆ m

SCMutex Flow_::m

Definition at line 448 of file flow.h.

◆ max_ttl_toclient

uint8_t Flow_::max_ttl_toclient

Definition at line 483 of file flow.h.

◆ max_ttl_toserver

uint8_t Flow_::max_ttl_toserver

Definition at line 481 of file flow.h.

Referenced by FlowInit().

◆ min_ttl_toclient

uint8_t Flow_::min_ttl_toclient

Definition at line 482 of file flow.h.

◆ min_ttl_toserver

uint8_t Flow_::min_ttl_toserver

ttl tracking

Definition at line 480 of file flow.h.

Referenced by FlowInit().

◆ next

struct Flow_* Flow_::next

Definition at line 407 of file flow.h.

Referenced by FlowGetFromFlowKey(), FlowQueuePrivateAppendFlow(), FlowQueuePrivateAppendPrivate(), FlowQueuePrivateGetFromTop(), FlowQueuePrivatePrependFlow(), FlowReset(), FlowShutdown(), and StatsReleaseCounters().

◆ parent_id

int64_t Flow_::parent_id

Definition at line 443 of file flow.h.

◆ probing_parser_toclient_alproto_masks

uint32_t Flow_::probing_parser_toclient_alproto_masks

Definition at line 432 of file flow.h.

Referenced by AppLayerProtoDetectReset(), and FlowSwap().

◆ probing_parser_toserver_alproto_masks

uint32_t Flow_::probing_parser_toserver_alproto_masks

Definition at line 431 of file flow.h.

Referenced by AppLayerProtoDetectReset(), and FlowSwap().

◆ proto

uint8_t Flow_::proto

Definition at line 378 of file flow.h.

Referenced by AppLayerFrameDump(), AppLayerFrameNewByAbsoluteOffset(), AppLayerFrameNewByPointer(), AppLayerFrameNewByRelativeOffset(), AppLayerFramesSetupContainer(), AppLayerParserParse(), AppLayerParserSetTransactionInspectId(), DetectEngineInspectBufferGeneric(), DetectRunFrameInspectRule(), DetectRunStoreStateTx(), EveHTTP2AddMetadata(), EveIKEAddMetadata(), EveNFSAddMetadata(), EveNFSAddMetadataRPC(), EveSMBAddMetadata(), FlowCleanupAppLayer(), FlowGetDisruptionFlags(), FlowGetFromFlowKey(), FlowHasGaps(), FlowInit(), FlowReset(), FlowShutdown(), FrameJsonLogOneFrame(), FramesPrune(), HttpXFFGetIPFromTx(), JsonModbusAddMetadata(), JsonMQTTAddMetadata(), JsonQuicAddMetadata(), JsonRFBAddMetadata(), JsonSIPAddMetadata(), LLVMFuzzerTestOneInput(), StreamTcpAppLayerIsDisabled(), UTHAddStreamToFlow(), and UTHRemoveSessionFromFlow().

◆ protoctx

void* Flow_::protoctx

◆ protodetect_dp

uint16_t Flow_::protodetect_dp

destination port to be used in protocol detection. This is meant for use with STARTTLS and HTTP CONNECT detection 0 if not used

Definition at line 440 of file flow.h.

Referenced by AppLayerRequestProtocolChange().

◆ protomap

uint8_t Flow_::protomap

mapping to Flow's protocol specific protocols for timeouts and state and free functions.

Definition at line 458 of file flow.h.

Referenced by AppLayerIncAllocErrorCounter(), AppLayerIncGapErrorCounter(), AppLayerIncInternalErrorCounter(), AppLayerIncParserErrorCounter(), AppLayerIncTxCounter(), AppLayerParserParse(), AppLayerParserStateCleanup(), FlowGetFromFlowKey(), and LLVMFuzzerTestOneInput().

◆ recursion_level

uint8_t Flow_::recursion_level

Definition at line 379 of file flow.h.

Referenced by FlowGetFromFlowKey(), and FlowInit().

◆ sgh_toclient

const struct SigGroupHead_* Flow_::sgh_toclient

toclient sgh for this flow. Only use when FLOW_SGH_TOCLIENT flow flag has been set.

Definition at line 493 of file flow.h.

◆ sgh_toserver

const struct SigGroupHead_* Flow_::sgh_toserver

toserver sgh for this flow. Only use when FLOW_SGH_TOSERVER flow flag has been set.

Definition at line 496 of file flow.h.

◆ sp

Port Flow_::sp

tcp/udp source port

Definition at line 361 of file flow.h.

Referenced by FlowGetFromFlowKey(), FlowGetPacketDirection(), FlowGetSourcePort(), FlowInit(), and LLVMFuzzerTestOneInput().

◆ spi

uint32_t Flow_::spi

esp spi

Definition at line 368 of file flow.h.

◆ src

FlowAddress Flow_::src

Definition at line 359 of file flow.h.

Referenced by FlowGetFromFlowKey(), FlowGetPacketDirection(), FlowInit(), and LLVMFuzzerTestOneInput().

◆ startts

struct timeval Flow_::startts

Definition at line 501 of file flow.h.

Referenced by EveAddFlow(), and FlowGetFromFlowKey().

◆ tenant_id

uint32_t Flow_::tenant_id

flow tenant id, used to setup flow timeout and stream pseudo packets with the correct tenant id set

Definition at line 429 of file flow.h.

◆ thread_id

FlowThreadId Flow_::thread_id[2]

Thread ID for the stream/detect portion of this flow

Definition at line 405 of file flow.h.

Referenced by FlowForceReassemblyForFlow().

◆ timeout_at

uint32_t Flow_::timeout_at

timestamp in seconds of the moment this flow will timeout according to the timeout policy. Does not take emergency mode into account.

Definition at line 402 of file flow.h.

Referenced by FlowHandlePacketUpdate().

◆ timeout_policy

uint32_t Flow_::timeout_policy

timeout policy value in seconds to add to the lastts.tv_sec when a packet has been received.

Definition at line 423 of file flow.h.

Referenced by FlowHandlePacketUpdate().

◆ todstbytecnt

uint64_t Flow_::todstbytecnt

Definition at line 507 of file flow.h.

Referenced by EveAddFlow(), and FlowHandlePacketUpdate().

◆ todstpktcnt

uint32_t Flow_::todstpktcnt

Definition at line 505 of file flow.h.

Referenced by EveAddFlow(), and FlowHandlePacketUpdate().

◆ tosrcbytecnt

uint64_t Flow_::tosrcbytecnt

Definition at line 508 of file flow.h.

Referenced by EveAddFlow().

◆ tosrcpktcnt

uint32_t Flow_::tosrcpktcnt

Definition at line 506 of file flow.h.

Referenced by EveAddFlow().

◆ type

uint8_t Flow_::type

icmp type

Definition at line 363 of file flow.h.

◆ use_cnt

FlowRefCount Flow_::use_cnt

how many references exist to this flow right now

On receiving a packet the counter is incremented while the flow bucked is locked, which is also the case on timeout pruning.

Definition at line 386 of file flow.h.

Referenced by FlowShutdown(), and UTHBuildPacketOfFlows().

◆ vlan_id

uint16_t Flow_::vlan_id[2]

Definition at line 380 of file flow.h.

Referenced by FlowGetFromFlowKey(), and FlowInit().

◆ vlan_idx

uint8_t Flow_::vlan_idx

Definition at line 388 of file flow.h.

Referenced by FlowInit().

The documentation for this struct was generated from the following file:

src/flow.h

Data Fields

Detailed Description

Field Documentation

◆ @118

◆ @120

◆ @122

◆ alparser

◆ alproto

◆ alproto_expect

◆ alproto_orig

◆ alproto_tc

◆ alproto_ts

◆ alstate

◆ code

◆ de_ctx_version

◆ dp

◆ dst

◆ esp

◆ fb

◆ ffr

◆ ffr_tc

◆ ffr_ts

◆ file_flags

◆ flags

◆ flow_end_flags

◆ flow_hash

◆ flow_state

◆ flowvar

◆ icmp_d

◆ icmp_s

◆ lastts

◆ livedev

◆ m

◆ max_ttl_toclient

◆ max_ttl_toserver

◆ min_ttl_toclient

◆ min_ttl_toserver

◆ next

◆ parent_id

◆ probing_parser_toclient_alproto_masks

◆ probing_parser_toserver_alproto_masks

◆ proto

◆ protoctx

◆ protodetect_dp

◆ protomap

◆ recursion_level

◆ sgh_toclient

◆ sgh_toserver

◆ sp

◆ spi

◆ src

◆ startts

◆ tenant_id

◆ thread_id

◆ timeout_at

◆ timeout_policy

◆ todstbytecnt

◆ todstpktcnt

◆ tosrcbytecnt

◆ tosrcpktcnt

◆ type

◆ use_cnt

◆ vlan_id

◆ vlan_idx