From 3bb0ccba9824f54c983a2058c1af69c15c43ad60 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 21 May 2014 14:29:15 +0200
Subject: [PATCH] stream: track TCP flags per stream direction

For netflow logging track TCP flags per stream direction. As the struct
had no more space left without expanding it, the flags and wscale
fields are now compressed.
---
 src/stream-tcp-private.h |  8 ++++++--
 src/stream-tcp.c         | 12 ++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/stream-tcp-private.h b/src/stream-tcp-private.h
index 358a4af90c..a21fdc6400 100644
--- a/src/stream-tcp-private.h
+++ b/src/stream-tcp-private.h
@@ -62,10 +62,11 @@ typedef struct TcpSegment_ {
 } TcpSegment;
 
 typedef struct TcpStream_ {
-    uint16_t flags;                 /**< Flag specific to the stream e.g. Timestamp */
+    uint16_t flags:12;              /**< Flag specific to the stream e.g. Timestamp */
     /* coccinelle: TcpStream:flags:STREAMTCP_STREAM_FLAG_ */
-    uint8_t wscale;                 /**< wscale setting in this direction */
+    uint16_t wscale:4;              /**< wscale setting in this direction, 4 bits as max val is 15 */
     uint8_t os_policy;              /**< target based OS policy used for reassembly and handling packets*/
+    uint8_t tcp_flags;              /**< TCP flags seen */
 
     uint32_t isn;                   /**< initial sequence number */
     uint32_t next_seq;              /**< next expected sequence number */
@@ -167,6 +168,9 @@ enum
 #define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED 0x0100
 /** Raw reassembly disabled for new segments */
 #define STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED 0x0200
+// vacancy 2x
+/** NOTE: flags field is 12 bits */
+
 
 /*
  * Per SEGMENT flags
diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index c81db46121..9d60c9761a 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -655,6 +655,14 @@ TcpSession *StreamTcpNewSession (Packet *p, int id)
         ssn->state = TCP_NONE;
         ssn->flags = stream_config.ssn_init_flags;
         ssn->tcp_packet_flags = p->tcph ? p->tcph->th_flags : 0;
+
+        if (PKT_IS_TOSERVER(p)) {
+            ssn->client.tcp_flags = p->tcph ? p->tcph->th_flags : 0;
+            ssn->server.tcp_flags = 0;
+        } else if (PKT_IS_TOCLIENT(p)) {
+            ssn->server.tcp_flags = p->tcph ? p->tcph->th_flags : 0;
+            ssn->client.tcp_flags = 0;
+        }
     }
 
     return ssn;
@@ -4201,6 +4209,10 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
     /* track TCP flags */
     if (ssn != NULL) {
         ssn->tcp_packet_flags |= p->tcph->th_flags;
+        if (PKT_IS_TOSERVER(p))
+            ssn->client.tcp_flags |= p->tcph->th_flags;
+        else if (PKT_IS_TOCLIENT(p))
+            ssn->server.tcp_flags |= p->tcph->th_flags;
     }
 
     /* update counters */