Fix packet timestamp handling for encapsulated packets.

src/decode.h

@@ -367,6 +367,8 @@ typedef struct DecodeThreadVars_
     } \
     (p)->pktvar = NULL; \
     (p)->recursion_level = 0; \
+    (p)->ts.tv_sec = 0; \
+    (p)->ts.tv_usec = 0; \
 }
 
 /* reset these to -1(indicates that the packet is fresh from the queue) */

src/flow.c

@@ -659,7 +659,7 @@ void *FlowManagerThread(void *td)
         sleeping += 10;
     }
 
-    SCLogInfo("%" PRIu32 " new flows, %" PRIu32 " established flows were timed out, %"PRIu32"", new_cnt, established_cnt, closing_cnt);
+    SCLogInfo("%" PRIu32 " new flows, %" PRIu32 " established flows were timed out, %"PRIu32" flows in closed state", new_cnt, established_cnt, closing_cnt);
     pthread_exit((void *) 0);
 }
 

src/source-pcap-file.c

@@ -22,6 +22,7 @@
 #include "tm-modules.h"
 #include "source-pcap-file.h"
 #include "util-time.h"
+#include "util-debug.h"
 
 typedef struct PcapFileGlobalVars_ {
     pcap_t *pcap_handle;
@@ -84,6 +85,7 @@ void PcapFileCallback(char *user, struct pcap_pkthdr *h, u_char *pkt) {
 
     p->ts.tv_sec = h->ts.tv_sec;
     p->ts.tv_usec = h->ts.tv_usec;
+    SCLogDebug("p->ts.tv_sec %"PRIuMAX"", (uintmax_t)p->ts.tv_sec);
     TimeSet(&p->ts);
     p->datalink = pcap_g.datalink;
 

src/stream-tcp.c

@@ -2673,6 +2673,7 @@ int StreamTcpGetFlowState(void *s)
 
 static int ValidTimestamp (TcpSession *ssn, Packet *p)
 {
+    SCEnter();
 
     TcpStream *sender_stream;
     TcpStream *receiver_stream;
@@ -2686,6 +2687,7 @@ static int ValidTimestamp (TcpSession *ssn, Packet *p)
         sender_stream = &ssn->server;
         receiver_stream = &ssn->client;
     }
+
     /* Set up the os_policy to be used in validating the timestamps based on
        the target system */
     if (receiver_stream->os_policy == 0)
@@ -2739,13 +2741,15 @@ static int ValidTimestamp (TcpSession *ssn, Packet *p)
                 default:
                     /* other OS simply drop the pakcet with 0 timestamp, when
                      * 3whs has valid timestamp*/
-                    return 0;
+                    SCReturnInt(0);
             }
         }
 
         if (check_ts) {
             int32_t result = 0;
 
+            SCLogDebug("ts %"PRIu32", last_ts %"PRIu32"", ts, sender_stream->last_ts);
+
             if (receiver_stream->os_policy == OS_POLICY_LINUX) {
                 /* Linux accepts TS which are off by one.*/
                 result = (int32_t) ((ts - sender_stream->last_ts) + 1);
@@ -2753,6 +2757,8 @@ static int ValidTimestamp (TcpSession *ssn, Packet *p)
                 result = (int32_t) (ts - sender_stream->last_ts);
             }
 
+            SCLogDebug("result %"PRIi32", p->ts.tv_sec %"PRIuMAX"", result, (uintmax_t)p->ts.tv_sec);
+
             if (sender_stream->last_pkt_ts == 0 &&
                     (ssn->flags & STREAMTCP_FLAG_MIDSTREAM))
             {
@@ -2793,6 +2799,8 @@ static int ValidTimestamp (TcpSession *ssn, Packet *p)
                     sender_stream->last_ts = ts;
                     sender_stream->last_pkt_ts = p->ts.tv_sec;
                     ret = 1;
+
+                    SCLogDebug("timestamp considered valid anyway");
                 }
             }
         }
@@ -2803,7 +2811,7 @@ static int ValidTimestamp (TcpSession *ssn, Packet *p)
             ssn->flags &= ~STREAMTCP_FLAG_TIMESTAMP;
     }
 
-    return ret;
+    SCReturnInt(ret);
 }
 
 /** \brief  Set the No reassembly flag for the given direction in given TCP

src/suricata.c

@@ -243,6 +243,9 @@ Packet *TunnelPktSetup(ThreadVars *t, DecodeThreadVars *dtv, Packet *parent, uin
     memcpy(&p->pkt, pkt, len);
     p->recursion_level = parent->recursion_level + 1;
 
+    p->ts.tv_sec = parent->ts.tv_sec;
+    p->ts.tv_usec = parent->ts.tv_usec;
+
     /* set tunnel flags */
     SET_TUNNEL_PKT(p);
     TUNNEL_INCR_PKT_TPR(p);