diff --git a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc index 1b816a11b7..3ebe77439b 100644 --- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc +++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc @@ -7,6 +7,7 @@ #include "zeek/Val.h" #include "zeek/analyzer/Manager.h" #include "zeek/analyzer/protocol/pia/PIA.h" +#include "zeek/conntuple/Manager.h" #include "zeek/plugin/Manager.h" #include "zeek/session/Manager.h" @@ -22,17 +23,17 @@ IPBasedAnalyzer::~IPBasedAnalyzer() { } bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt) { - ConnTuple tuple; - if ( ! BuildConnTuple(len, data, pkt, tuple) ) + ConnTuplePtr tuple = zeek::conntuple_mgr->GetBuilder().GetTuple(pkt); + if ( ! BuildConnTuple(len, data, pkt, *tuple) ) return false; const std::shared_ptr& ip_hdr = pkt->ip_hdr; - zeek::detail::ConnKey key(tuple); + zeek::detail::ConnKeyPtr key = zeek::conntuple_mgr->GetBuilder().GetKey(*tuple); - Connection* conn = session_mgr->FindConnection(key); + Connection* conn = session_mgr->FindConnection(*key); if ( ! conn ) { - conn = NewConn(&tuple, key, pkt); + conn = NewConn(tuple.get(), key, pkt); if ( conn ) session_mgr->Insert(conn, false); } @@ -41,7 +42,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt conn->Event(connection_reused, nullptr); session_mgr->Remove(conn); - conn = NewConn(&tuple, key, pkt); + conn = NewConn(tuple.get(), key, pkt); if ( conn ) session_mgr->Insert(conn, false); } @@ -57,7 +58,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt // get logged, which means we can mark this packet as having been processed. pkt->processed = true; - bool is_orig = (tuple.src_addr == conn->OrigAddr()) && (tuple.src_port == conn->OrigPort()); + bool is_orig = (tuple->src_addr == conn->OrigAddr()) && (tuple->src_port == conn->OrigPort()); pkt->is_orig = is_orig; conn->CheckFlowLabel(is_orig, ip_hdr->FlowLabel()); @@ -140,7 +141,7 @@ bool IPBasedAnalyzer::IsLikelyServerPort(uint32_t port) const { return port_cache.find(port) != port_cache.end(); } -zeek::Connection* IPBasedAnalyzer::NewConn(const ConnTuple* id, const zeek::detail::ConnKey& key, const Packet* pkt) { +zeek::Connection* IPBasedAnalyzer::NewConn(const ConnTuple* id, const zeek::detail::ConnKeyPtr key, const Packet* pkt) { int src_h = ntohs(id->src_port); int dst_h = ntohs(id->dst_port); bool flip = false; diff --git a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h index 729824c4dc..a7e9ee44d1 100644 --- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h +++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h @@ -185,7 +185,7 @@ private: * @param key A connection ID key generated from the ID. * @param pkt The packet associated with the new connection. */ - zeek::Connection* NewConn(const ConnTuple* id, const zeek::detail::ConnKey& key, const Packet* pkt); + zeek::Connection* NewConn(const ConnTuple* id, const zeek::detail::ConnKeyPtr key, const Packet* pkt); void BuildSessionAnalyzerTree(Connection* conn); diff --git a/src/session/Manager.cc b/src/session/Manager.cc index 131805ef85..2bdf1e2c3c 100644 --- a/src/session/Manager.cc +++ b/src/session/Manager.cc @@ -17,6 +17,7 @@ #include "zeek/RunState.h" #include "zeek/Timer.h" #include "zeek/TunnelEncapsulation.h" +#include "zeek/conntuple/Manager.h" #include "zeek/packet_analysis/Manager.h" #include "zeek/session/Session.h" #include "zeek/telemetry/Manager.h" @@ -90,23 +91,23 @@ Manager::~Manager() { void Manager::Done() {} Connection* Manager::FindConnection(Val* v) { - zeek::detail::ConnKey conn_key(v); + zeek::detail::ConnKeyPtr conn_key = conntuple_mgr->GetBuilder().GetKey(v); - if ( ! conn_key.Valid() ) { + if ( ! conn_key->Valid() ) { // Produce a loud error for invalid script-layer conn_id records. const char* extra = ""; - if ( conn_key.transport == UNKNOWN_IP_PROTO ) + if ( conn_key->transport == UNKNOWN_IP_PROTO ) extra = ": the proto field has the \"unknown\" 65535 value. Did you forget to set it?"; zeek::emit_builtin_error(zeek::util::fmt("invalid connection ID record encountered%s", extra)); return nullptr; } - return FindConnection(conn_key); + return FindConnection(*conn_key); } Connection* Manager::FindConnection(const zeek::detail::ConnKey& conn_key) { - detail::Key key(&conn_key, sizeof(conn_key), detail::Key::CONNECTION_KEY_TYPE, false); + detail::Key key{conn_key.SessionKey()}; auto it = session_map.find(key); if ( it != session_map.end() )