flow: tag first packet in each direction

Set a flowflag for the first packet in each direction: FLOW_PKT_TOSERVER_FIRST and FLOW_PKT_TOCLIENT_FIRST
11 years ago · 6ad53627de
parent c88cbb39fe
commit 6ad53627de
3 changed files with 26 additions and 8 deletions
--- a/src/flow.c
+++ b/src/flow.c
@ -238,11 +238,11 @@ void FlowHandlePacketUpdateRemove(Flow *f, Packet *p)
    if (p->flowflags & FLOW_PKT_TOSERVER) {
        f->todstpktcnt--;
        f->todstbytecnt -= GET_PKT_LEN(p);
-        p->flowflags &= ~FLOW_PKT_TOSERVER;
+        p->flowflags &= ~(FLOW_PKT_TOSERVER|FLOW_PKT_TOSERVER_FIRST);
    } else {
        f->tosrcpktcnt--;
        f->tosrcbytecnt -= GET_PKT_LEN(p);
-        p->flowflags &= ~FLOW_PKT_TOCLIENT;
+        p->flowflags &= ~(FLOW_PKT_TOCLIENT|FLOW_PKT_TOCLIENT_FIRST);
    }
    p->flowflags &= ~FLOW_PKT_ESTABLISHED;

@ -275,19 +275,25 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p)

    /* update flags and counters */
    if (FlowGetPacketDirection(f, p) == TOSERVER) {
-        if (FlowUpdateSeenFlag(p)) {
-            f->flags |= FLOW_TO_DST_SEEN;
-        }
        f->todstpktcnt++;
        f->todstbytecnt += GET_PKT_LEN(p);
        p->flowflags = FLOW_PKT_TOSERVER;
-    } else {
-        if (FlowUpdateSeenFlag(p)) {
-            f->flags |= FLOW_TO_SRC_SEEN;
+        if (!(f->flags & FLOW_TO_DST_SEEN)) {
+            if (FlowUpdateSeenFlag(p)) {
+                f->flags |= FLOW_TO_DST_SEEN;
+                p->flowflags |= FLOW_PKT_TOSERVER_FIRST;
+            }
        }
+    } else {
        f->tosrcpktcnt++;
        f->tosrcbytecnt += GET_PKT_LEN(p);
        p->flowflags = FLOW_PKT_TOCLIENT;
+        if (!(f->flags & FLOW_TO_SRC_SEEN)) {
+            if (FlowUpdateSeenFlag(p)) {
+                f->flags |= FLOW_TO_SRC_SEEN;
+                p->flowflags |= FLOW_PKT_TOCLIENT_FIRST;
+            }
+        }
    }

    if ((f->flags & (FLOW_TO_DST_SEEN|FLOW_TO_SRC_SEEN)) == (FLOW_TO_DST_SEEN|FLOW_TO_SRC_SEEN)) {
--- a/src/flow.h
+++ b/src/flow.h
@ -171,6 +171,8 @@ typedef struct AppLayerParserState_ AppLayerParserState;
 #define FLOW_PKT_ESTABLISHED            0x04
 #define FLOW_PKT_TOSERVER_IPONLY_SET    0x08
 #define FLOW_PKT_TOCLIENT_IPONLY_SET    0x10
+#define FLOW_PKT_TOSERVER_FIRST         0x20
+#define FLOW_PKT_TOCLIENT_FIRST         0x40

 #define FLOW_END_FLAG_STATE_NEW         0x01
 #define FLOW_END_FLAG_STATE_ESTABLISHED 0x02
--- a/src/stream-tcp.h
+++ b/src/stream-tcp.h
@ -171,9 +171,19 @@ static inline void StreamTcpPacketSwitchDir(TcpSession *ssn, Packet *p)
    if (PKT_IS_TOSERVER(p)) {
        p->flowflags &= ~FLOW_PKT_TOSERVER;
        p->flowflags |= FLOW_PKT_TOCLIENT;
+
+        if (p->flowflags & FLOW_PKT_TOSERVER_FIRST) {
+            p->flowflags &= ~FLOW_PKT_TOSERVER_FIRST;
+            p->flowflags |= FLOW_PKT_TOCLIENT_FIRST;
+        }
    } else {
        p->flowflags &= ~FLOW_PKT_TOCLIENT;
        p->flowflags |= FLOW_PKT_TOSERVER;
+
+        if (p->flowflags & FLOW_PKT_TOCLIENT_FIRST) {
+            p->flowflags &= ~FLOW_PKT_TOCLIENT_FIRST;
+            p->flowflags |= FLOW_PKT_TOSERVER_FIRST;
+        }
    }
 }