From 2e5422df8e39099e76939175a61cd7cf256711c6 Mon Sep 17 00:00:00 2001
From: Giuseppe Longo <glongo@stamus-networks.com>
Date: Thu, 15 Dec 2016 17:28:21 +0100
Subject: [PATCH] netflow: log ttl fields

Netflow entry collects the minimum and maximum
time to live during the life of the incoming flow.

This adds those field to a netflow event.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/flow-util.c           |  2 ++
 src/flow.c                | 18 ++++++++++++++++++
 src/flow.h                | 12 ++++++++++++
 src/output-json-netflow.c |  3 +++
 4 files changed, 35 insertions(+)

diff --git a/src/flow-util.c b/src/flow-util.c
index dae4194bd5..eadce4769b 100644
--- a/src/flow-util.c
+++ b/src/flow-util.c
@@ -137,10 +137,12 @@ void FlowInit(Flow *f, const Packet *p)
     if (PKT_IS_IPV4(p)) {
         FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(p, &f->src);
         FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(p, &f->dst);
+        FLOW_SET_IPV4_TTL_FROM_PACKET(p, f);
         f->flags |= FLOW_IPV4;
     } else if (PKT_IS_IPV6(p)) {
         FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(p, &f->src);
         FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(p, &f->dst);
+        FLOW_SET_IPV6_HLIM_FROM_PACKET(p, f);
         f->flags |= FLOW_IPV6;
     }
 #ifdef DEBUG
diff --git a/src/flow.c b/src/flow.c
index c371b54e16..b859d97055 100644
--- a/src/flow.c
+++ b/src/flow.c
@@ -344,6 +344,24 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p)
         SCLogDebug("setting FLOW_NOPAYLOAD_INSPECTION flag on flow %p", f);
         DecodeSetNoPayloadInspectionFlag(p);
     }
+
+
+    /* update flow's ttl fields if needed */
+    if (PKT_IS_IPV4(p)) {
+        uint8_t ttl = IPV4_GET_IPTTL(p);
+        if (ttl < f->min_ttl) {
+            f->min_ttl = ttl;
+        } else if (ttl > f->max_ttl) {
+            f->max_ttl = ttl;
+        }
+    } else if (PKT_IS_IPV6(p)) {
+        uint8_t ttl = IPV6_GET_HLIM(p);
+        if (ttl < f->min_ttl) {
+            f->min_ttl = ttl;
+        } else if (ttl > f->max_ttl) {
+            f->max_ttl = ttl;
+        }
+    }
 }
 
 /** \brief Entry point for packet flow handling
diff --git a/src/flow.h b/src/flow.h
index 93ca7afc65..0ecedeee9c 100644
--- a/src/flow.h
+++ b/src/flow.h
@@ -183,6 +183,16 @@ typedef struct AppLayerParserState_ AppLayerParserState;
         (a)->addr_data32[3] = (p)->ip6h->s_ip6_dst[3];  \
     } while (0)
 
+#define FLOW_SET_IPV4_TTL_FROM_PACKET(p, f) do {    \
+        (f)->min_ttl = IPV4_GET_IPTTL((p));         \
+        (f)->max_ttl = IPV4_GET_IPTTL((p));         \
+    } while (0)
+
+#define FLOW_SET_IPV6_HLIM_FROM_PACKET(p, f) do {   \
+        (f)->min_ttl = IPV6_GET_HLIM((p));          \
+        (f)->max_ttl = IPV6_GET_HLIM((p));          \
+    } while (0)
+
 /* pkt flow flags */
 #define FLOW_PKT_TOSERVER               0x01
 #define FLOW_PKT_TOCLIENT               0x02
@@ -330,6 +340,8 @@ typedef struct Flow_
     };
     uint8_t proto;
     uint8_t recursion_level;
+    uint8_t min_ttl;
+    uint8_t max_ttl;
     uint16_t vlan_id[2];
 
     /** flow hash - the flow hash before hash table size mod. */
diff --git a/src/output-json-netflow.c b/src/output-json-netflow.c
index 9464a15a3f..59457b4207 100644
--- a/src/output-json-netflow.c
+++ b/src/output-json-netflow.c
@@ -214,6 +214,9 @@ static void JsonNetFlowLogJSONToServer(JsonNetFlowLogThread *aft, json_t *js, Fl
     json_object_set_new(hjs, "age",
             json_integer(age));
 
+    json_object_set_new(hjs, "min_ttl", json_integer(f->min_ttl));
+    json_object_set_new(hjs, "max_ttl", json_integer(f->max_ttl));
+
     json_object_set_new(js, "netflow", hjs);
 
     /* TCP */