Move TCPStateStats object out of session_mgr

src/packet_analysis/protocol/tcp/CMakeLists.txt

@@ -4,5 +4,5 @@ include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
 zeek_plugin_begin(PacketAnalyzer TCP_PKT)
-zeek_plugin_cc(TCP.cc TCPSessionAdapter.cc Plugin.cc)
+zeek_plugin_cc(TCP.cc TCPSessionAdapter.cc Plugin.cc Stats.cc)
 zeek_plugin_end()

src/packet_analysis/protocol/tcp/Stats.cc

@@ -0,0 +1,87 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/tcp/Stats.h"
+
+#include "zeek/File.h"
+
+#include "zeek/analyzer/protocol/tcp/events.bif.h"
+
+namespace zeek::packet_analysis::TCP {
+
+TCPStateStats::TCPStateStats()
+	{
+	for ( int i = 0; i < analyzer::tcp::TCP_ENDPOINT_RESET + 1; ++i )
+		for ( int j = 0; j < analyzer::tcp::TCP_ENDPOINT_RESET + 1; ++j )
+			state_cnt[i][j] = 0;
+	}
+
+void TCPStateStats::ChangeState(analyzer::tcp::EndpointState o_prev, analyzer::tcp::EndpointState o_now,
+                                analyzer::tcp::EndpointState r_prev, analyzer::tcp::EndpointState r_now)
+	{
+	--state_cnt[o_prev][r_prev];
+	++state_cnt[o_now][r_now];
+	}
+
+void TCPStateStats::FlipState(analyzer::tcp::EndpointState orig, analyzer::tcp::EndpointState resp)
+	{
+	--state_cnt[orig][resp];
+	++state_cnt[resp][orig];
+	}
+
+unsigned int TCPStateStats::NumStatePartial() const
+	{
+	unsigned int sum = 0;
+	for ( int i = 0; i < analyzer::tcp::TCP_ENDPOINT_RESET + 1; ++i )
+		{
+		sum += state_cnt[analyzer::tcp::TCP_ENDPOINT_PARTIAL][i];
+		sum += state_cnt[i][analyzer::tcp::TCP_ENDPOINT_PARTIAL];
+		}
+
+	return sum;
+	}
+
+void TCPStateStats::PrintStats(File* file, const char* prefix)
+	{
+	file->Write(prefix);
+	file->Write("        Inact.  Syn.    SA      Part.   Est.    Fin.    Rst.\n");
+
+	for ( int i = 0; i < analyzer::tcp::TCP_ENDPOINT_RESET + 1; ++i )
+		{
+		file->Write(prefix);
+
+		switch ( i ) {
+#define STATE_STRING(state, str) \
+	case state: \
+		file->Write(str); \
+		break;
+
+		STATE_STRING(analyzer::tcp::TCP_ENDPOINT_INACTIVE, "Inact.");
+		STATE_STRING(analyzer::tcp::TCP_ENDPOINT_SYN_SENT, "Syn.  ");
+		STATE_STRING(analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT, "SA    ");
+		STATE_STRING(analyzer::tcp::TCP_ENDPOINT_PARTIAL, "Part. ");
+		STATE_STRING(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED, "Est.  ");
+		STATE_STRING(analyzer::tcp::TCP_ENDPOINT_CLOSED, "Fin.  ");
+		STATE_STRING(analyzer::tcp::TCP_ENDPOINT_RESET, "Rst.  ");
+
+		}
+
+		file->Write("  ");
+
+		for ( int j = 0; j < analyzer::tcp::TCP_ENDPOINT_RESET + 1; ++j )
+			{
+			unsigned int n = state_cnt[i][j];
+			if ( n > 0 )
+				{
+				char buf[32];
+				snprintf(buf, sizeof(buf), "%-8d", state_cnt[i][j]);
+				file->Write(buf);
+				}
+			else
+				file->Write("        ");
+			}
+
+		file->Write("\n");
+		}
+	}
+
+} // namespace zeek::packet_analysis::TCP

src/packet_analysis/protocol/tcp/Stats.h

@@ -0,0 +1,71 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/analyzer/protocol/tcp/TCP_Endpoint.h"
+
+namespace zeek::packet_analysis::TCP {
+
+/**
+ * A TCPStateStats object tracks the distribution of TCP states for
+ * the currently active connections.
+ */
+class TCPStateStats {
+public:
+	TCPStateStats();
+	~TCPStateStats() = default;
+
+	void ChangeState(analyzer::tcp::EndpointState o_prev, analyzer::tcp::EndpointState o_now,
+	                 analyzer::tcp::EndpointState r_prev, analyzer::tcp::EndpointState r_now);
+	void FlipState(analyzer::tcp::EndpointState orig, analyzer::tcp::EndpointState resp);
+
+	void StateEntered (analyzer::tcp::EndpointState o_state, analyzer::tcp::EndpointState r_state)
+		{ ++state_cnt[o_state][r_state]; }
+	void StateLeft (analyzer::tcp::EndpointState o_state, analyzer::tcp::EndpointState r_state)
+		{ --state_cnt[o_state][r_state]; }
+
+	unsigned int Cnt(analyzer::tcp::EndpointState state) const
+		{ return Cnt(state, state); }
+	unsigned int Cnt(analyzer::tcp::EndpointState state1, analyzer::tcp::EndpointState state2) const
+		{ return state_cnt[state1][state2]; }
+
+	unsigned int NumStateEstablished() const
+		{ return Cnt(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED); }
+	unsigned int NumStateHalfClose() const
+		{ // corresponds to S2,S3
+		return Cnt(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED, analyzer::tcp::TCP_ENDPOINT_CLOSED) +
+			Cnt(analyzer::tcp::TCP_ENDPOINT_CLOSED, analyzer::tcp::TCP_ENDPOINT_ESTABLISHED);
+		}
+	unsigned int NumStateHalfRst() const
+		{
+		return Cnt(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED, analyzer::tcp::TCP_ENDPOINT_RESET) +
+			Cnt(analyzer::tcp::TCP_ENDPOINT_RESET, analyzer::tcp::TCP_ENDPOINT_ESTABLISHED);
+		}
+	unsigned int NumStateClosed() const
+		{ return Cnt(analyzer::tcp::TCP_ENDPOINT_CLOSED); }
+	unsigned int NumStateRequest() const
+		{
+		assert(Cnt(analyzer::tcp::TCP_ENDPOINT_INACTIVE, analyzer::tcp::TCP_ENDPOINT_SYN_SENT)==0);
+		return Cnt(analyzer::tcp::TCP_ENDPOINT_SYN_SENT, analyzer::tcp::TCP_ENDPOINT_INACTIVE);
+		}
+	unsigned int NumStateSuccRequest() const
+		{
+		return Cnt(analyzer::tcp::TCP_ENDPOINT_SYN_SENT, analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT) +
+			Cnt(analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT, analyzer::tcp::TCP_ENDPOINT_SYN_SENT);
+		}
+	unsigned int NumStateRstRequest() const
+		{
+		return Cnt(analyzer::tcp::TCP_ENDPOINT_SYN_SENT, analyzer::tcp::TCP_ENDPOINT_RESET) +
+			Cnt(analyzer::tcp::TCP_ENDPOINT_RESET, analyzer::tcp::TCP_ENDPOINT_SYN_SENT);
+		}
+	unsigned int NumStateInactive() const
+		{ return Cnt(analyzer::tcp::TCP_ENDPOINT_INACTIVE); }
+	unsigned int NumStatePartial() const;
+
+	void PrintStats(File* file, const char* prefix);
+
+private:
+	unsigned int state_cnt[analyzer::tcp::TCP_ENDPOINT_RESET+1][analyzer::tcp::TCP_ENDPOINT_RESET+1];
+};
+
+} // namespace zeek::packet_analysis::TCP

src/packet_analysis/protocol/tcp/TCP.h

@@ -5,6 +5,7 @@
 #include "zeek/packet_analysis/Analyzer.h"
 #include "zeek/packet_analysis/Component.h"
 #include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
+#include "zeek/packet_analysis/protocol/tcp/Stats.h"
 #include "zeek/analyzer/protocol/tcp/TCP_Flags.h"
 
 namespace zeek::analyzer::tcp { class TCP_Endpoint; }
@@ -30,6 +31,12 @@ public:
 	 */
 	void Initialize() override;
 
+	static TCPStateStats& GetStats()
+		{
+		static TCPStateStats stats;
+		return stats;
+		}
+
 protected:
 
 	/**

src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc

@@ -12,6 +12,7 @@
 #include "zeek/analyzer/protocol/pia/PIA.h"
 #include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"
 #include "zeek/analyzer/protocol/conn-size/ConnSize.h"
+#include "zeek/packet_analysis/protocol/tcp/TCP.h"
 
 #include "zeek/analyzer/protocol/tcp/events.bif.h"
 #include "zeek/analyzer/protocol/tcp/types.bif.h"
@@ -536,7 +537,7 @@ void TCPSessionAdapter::FlipRoles()
 	{
 	Analyzer::FlipRoles();
 
-	session_mgr->tcp_stats.FlipState(orig->state, resp->state);
+	TCPAnalyzer::GetStats().FlipState(orig->state, resp->state);
 	analyzer::tcp::TCP_Endpoint* tmp_ep = resp;
 	resp = orig;
 	orig = tmp_ep;

src/packet_analysis/protocol/tcp/TCPSessionAdapter.h

@@ -7,14 +7,10 @@
 #include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
 #include "zeek/session/Manager.h"
 #include "zeek/analyzer/protocol/tcp/TCP_Flags.h"
+#include "zeek/analyzer/protocol/tcp/TCP_Endpoint.h"
 
 namespace zeek::analyzer::pia { class PIA_TCP; }
-namespace zeek::analyzer::tcp {
-
-class TCP_Endpoint;
-class TCP_Reassembler;
-
-}
+namespace zeek::analyzer::tcp { class TCP_Reassembler; }
 
 namespace zeek::packet_analysis::TCP {