QUIC: Introduce discarded_packet() event

And include its occurrence into the history as X. The event raising is configurable with a new const redef QUIC::max_discarded_packet_events.
2025-10-10 10:38:20 +00:00 · 2025-10-08 17:25:41 +02:00 · 2025-10-08 17:25:41 +02:00 · 586b7b94cb
commit 586b7b94cb
parent 9345a8c84e
15 changed files with 96 additions and 8 deletions
--- a/scripts/base/protocols/quic/main.zeek
+++ b/scripts/base/protocols/quic/main.zeek
@ -59,6 +59,7 @@ export {
 		## C       CONNECTION_CLOSE packet
 		## S       SSL Client/Server Hello
 		## U       Unfamiliar QUIC version
+		## X       Discarded packet after successful decryption of INITIAL packets.
 		## ======  ====================================================
 		history: string &log &default="";

@ -77,6 +78,10 @@ export {

 	## The maximum length of the history field.
 	option max_history_length = 100;
+
+	## Maximum number of QUIC::discarded packet() events to generate.
+	## Set to 0 for unlimited, -1 for disabled.
+	const max_discarded_packet_events: int = 100 &redef;
 }

 redef record connection += {
@ -164,6 +169,18 @@ event QUIC::retry_packet(c: connection, is_orig: bool, version: count, dcid: str
 	delete c$quic;
 	}

+event QUIC::discarded_packet(c: connection, is_orig: bool, total_decrypted: count)
+	{
+	if ( ! c?$quic )
+		{
+		# This should not happen.
+		Reporter::conn_weird("QUIC_spurious_discarded_packet", c);
+		return;
+		}
+
+	add_to_history(c, is_orig, "Xdiscarded");
+	}
+
 # If we couldn't handle a version, log it as a single record.
 event QUIC::unhandled_version(c: connection, is_orig: bool, version: count, dcid: string, scid: string)
 	{
--- a/scripts/base/protocols/quic/spicy-events.zeek
+++ b/scripts/base/protocols/quic/spicy-events.zeek
@ -94,3 +94,15 @@ global QUIC::connection_close_frame: event(c: connection, is_orig: bool, version
 ##
 ## scid: The Source Connection ID field.
 global QUIC::unhandled_version: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string);
+
+## Generated when a QUIC packet with fixed_bit 0 is encountered.
+##
+## This event is only generated if some INITIAL QUIC packets were successfully
+## decrypted previously.
+##
+## c: The connection.
+##
+## is_orig: True if the packet is from the the connection's originator.
+##
+## total_decrypted: The number of QUIC packets successfully decrypted previously.
+global QUIC::discarded_packet: event(c: connection, is_orig: bool, total_decrypted: count);