mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Optimize Conn::set_conn to minimize operations
Now that Conn::set_conn is guaranteed to be called at the beginning and at the end of the connection, we can skip re-setting the elements that we know will not have changed. This prevents repeated lookups, e.g. to check that addresses are in the local networks. During `connection_state_remove`, only the duration, number of packets, service, and history fields are updated. local_orig and local_resp are updated when the connection is flipped. A test was added for that purpose. It uses the already existing http.zeek-image-post-1080-8000-x.pcap, which was slightly rewritten for this, so that one side of the connection has IP addresses different from 127.0.0.1. The existing history-flip test also was updated to have one side being in a local-net, to check that the flipping of local_orig and local_resp works correctly at the beginning of a connection.
This commit is contained in:
Johanna Amann
parent
3e4f67e67c
commit
83d5243cf6
10 changed files with 58 additions and 32 deletions
|
|
@ -243,26 +243,31 @@ function conn_state(c: connection, trans: transport_proto): string
|
|||
## Fill out the c$conn record for logging
|
||||
function set_conn(c: connection, eoc: bool)
|
||||
{
|
||||
if ( ! c?$conn )
|
||||
{
|
||||
local p = get_port_transport_proto(c$id$resp_p);
|
||||
c$conn = Info($ts=c$start_time, $uid=c$uid, $proto=p);
|
||||
}
|
||||
if ( ! eoc ) {
|
||||
if ( ! c?$conn )
|
||||
{
|
||||
local p = get_port_transport_proto(c$id$resp_p);
|
||||
c$conn = Info($ts=c$start_time, $uid=c$uid, $proto=p);
|
||||
}
|
||||
|
||||
c$conn$id=c$id;
|
||||
if ( c?$tunnel && |c$tunnel| > 0 )
|
||||
{
|
||||
if ( ! c$conn?$tunnel_parents )
|
||||
c$conn$tunnel_parents = set();
|
||||
add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid];
|
||||
}
|
||||
if( |Site::local_nets| > 0 )
|
||||
{
|
||||
c$conn$local_orig=Site::is_local_addr(c$id$orig_h);
|
||||
c$conn$local_resp=Site::is_local_addr(c$id$resp_h);
|
||||
}
|
||||
c$conn$id=c$id;
|
||||
if ( c?$tunnel && |c$tunnel| > 0 )
|
||||
{
|
||||
if ( ! c$conn?$tunnel_parents )
|
||||
c$conn$tunnel_parents = set();
|
||||
add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid];
|
||||
}
|
||||
|
||||
if ( eoc )
|
||||
if ( c$id$proto != 65535 )
|
||||
c$conn$ip_proto = c$id$proto;
|
||||
|
||||
if( |Site::local_nets| > 0 )
|
||||
{
|
||||
c$conn$local_orig = Site::is_local_addr(c$id$orig_h);
|
||||
c$conn$local_resp = Site::is_local_addr(c$id$resp_h);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
if ( c$duration > 0secs )
|
||||
{
|
||||
|
|
@ -288,9 +293,6 @@ function set_conn(c: connection, eoc: bool)
|
|||
if ( c$history != "" )
|
||||
c$conn$history=c$history;
|
||||
}
|
||||
|
||||
if ( c$id$proto != 65535 )
|
||||
c$conn$ip_proto = c$id$proto;
|
||||
}
|
||||
|
||||
event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5
|
||||
|
|
@ -314,6 +316,16 @@ event new_connection(c: connection) &priority=100
|
|||
set_conn(c, F);
|
||||
}
|
||||
|
||||
event connection_flipped(c: connection) &priority=5
|
||||
{
|
||||
# otherwise, set-conn has not been called yet. In that case we don't have to do anything
|
||||
if ( c?$conn )
|
||||
{
|
||||
c$conn$local_orig = Site::is_local_addr(c$id$orig_h);
|
||||
c$conn$local_resp = Site::is_local_addr(c$id$resp_h);
|
||||
}
|
||||
}
|
||||
|
||||
event connection_state_remove(c: connection) &priority=5
|
||||
{
|
||||
set_conn(c, T);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue