Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Adding support to de-capsulate tunnels.

Browse source 
Checkpoint.
Decapsulation happens after IP Defragmentation. The "identity" of the
enclosing tunnel (the "parent") is added to the connection record of the
child (tunneled) connection as an optional field $tunnel_parent.
This commit is contained in:
Gregor Maier 2011-08-03 14:12:47 -07:00
parent 6c806b0bce
commit 9c388a1809
10 changed files with 183 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/Conn.h
View file

@ -86,7 +86,7 @@ class Analyzer;
class Connection : public BroObj {
public:
Connection(NetSessions* s, HashKey* k, double t, const ConnID* id);
Connection(NetSessions* s, HashKey* k, double t, const ConnID* id, RecordVal *arg_tunnel_parent);
virtual ~Connection();
// Invoked when connection is about to be removed. Use Ref(this)
@ -335,6 +335,7 @@ protected:
double inactivity_timeout;
RecordVal* conn_val;
LoginConn* login_conn; // either nil, or this
RecordVal* tunnel_parent; // nil if not tunneled
int suppress_event; // suppress certain events to once per conn.
unsigned int installed_status_timer:1;