Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 11:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

GH-646: add new "successful_connection_remove" event

Browse source 
And switch Zeek's base scripts over to using it in place of
"connection_state_remove".  The difference between the two is
that "connection_state_remove" is raised for all events while
"successful_connection_remove" excludes TCP connections that were never
established (just SYN packets).  There can be performance benefits
to this change for some use-cases.

There's also a new event called ``connection_successful`` and a new
``connection`` record field named "successful" to help indicate this new
property of connections.
This commit is contained in:
Jon Siwek 2019-11-02 11:12:00 -07:00
parent 75588956fc
commit 31f60853c9
48 changed files with 570 additions and 371 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/analyzer/protocol/tcp/TCP.cc
View file

@ -1197,6 +1197,12 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
// TCP Fast Open).
CheckPIA_FirstPacket(is_orig, ip);
// Note the similar/inverse logic to connection_attempt.
if ( resp->state != TCP_ENDPOINT_INACTIVE ||
(orig->state != TCP_ENDPOINT_SYN_SENT &&
orig->state != TCP_ENDPOINT_SYN_ACK_SENT))
Conn()->SetSuccessful();
if ( DEBUG_tcp_data_sent )
{
DEBUG_MSG("%.6f before DataSent: len=%d caplen=%d skip=%d\n",