diff --git a/src/Conn.cc b/src/Conn.cc index 1092ac1d74..86c2c690ad 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -23,15 +23,15 @@ namespace zeek { uint64_t Connection::total_connections = 0; uint64_t Connection::current_connections = 0; -Connection::Connection(zeek::IPBasedConnKeyPtr k, const zeek::ConnTuple& ct, double t, uint32_t flow, const Packet* pkt) +Connection::Connection(zeek::IPBasedConnKeyPtr k, double t, uint32_t flow, const Packet* pkt) : Session(t, connection_timeout, connection_status_update, detail::connection_status_update_interval), key(std::move(k)) { - orig_addr = ct.src_addr; - resp_addr = ct.dst_addr; - orig_port = ct.src_port; - resp_port = ct.dst_port; + orig_addr = key->SrcAddr(); + resp_addr = key->DstAddr(); + orig_port = key->SrcPort(); + resp_port = key->DstPort(); - switch ( ct.proto ) { + switch ( key->Proto() ) { case IPPROTO_TCP: proto = TRANSPORT_TCP; break; case IPPROTO_UDP: proto = TRANSPORT_UDP; break; case IPPROTO_ICMP: @@ -60,7 +60,7 @@ Connection::Connection(const detail::ConnKey& k, double t, const ConnTuple* id, } key = std::make_unique(); - key->InitTuple(*id); + key->InitTuple(id->src_addr, id->src_port, id->dst_addr, id->dst_port, id->proto, id->is_one_way); key->Init(*pkt); Init(flow, pkt); diff --git a/src/Conn.h b/src/Conn.h index 2bff20b240..a35c419b91 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -53,13 +53,19 @@ enum ConnEventToFlag : uint8_t { NUM_EVENTS_TO_FLAG, }; +// Deprecated without replacement: remove in v8.1. +// XXX using [[deprecated]] for the whole struct leads to hard errors on FreeBSD/MacOS. +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" struct ConnTuple { - IPAddr src_addr; - IPAddr dst_addr; - uint32_t src_port = 0; - uint32_t dst_port = 0; - uint16_t proto = UNKNOWN_IP_PROTO; - bool is_one_way = false; // if true, don't canonicalize order +#pragma GCC diagnostic pop + [[deprecated("Remove in v8.1: Switch to new conn_key framework")]] IPAddr src_addr; + [[deprecated("Remove in v8.1: Switch to new conn_key framework")]] IPAddr dst_addr; + [[deprecated("Remove in v8.1: Switch to new conn_key framework")]] uint32_t src_port = 0; + [[deprecated("Remove in v8.1: Switch to new conn_key framework")]] uint32_t dst_port = 0; + [[deprecated("Remove in v8.1: Switch to new conn_key framework")]] uint16_t proto = UNKNOWN_IP_PROTO; + [[deprecated("Remove in v8.1: Switch to new conn_key framework")]] bool is_one_way = + false; // if true, don't canonicalize order }; static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPAddr& addr2, uint32_t p2) { @@ -68,7 +74,7 @@ static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPA class Connection final : public session::Session { public: - Connection(zeek::IPBasedConnKeyPtr k, const zeek::ConnTuple& ct, double t, uint32_t flow, const Packet* pkt); + Connection(zeek::IPBasedConnKeyPtr k, double t, uint32_t flow, const Packet* pkt); [[deprecated("Remove in v8.1. Switch to ConnKey factories and the new zeek::ConnKey tree.")]] Connection(const detail::ConnKey& k, double t, const ConnTuple* id, uint32_t flow, const Packet* pkt); diff --git a/src/IPAddr.cc b/src/IPAddr.cc index d8a777f59d..463896b4f8 100644 --- a/src/IPAddr.cc +++ b/src/IPAddr.cc @@ -23,12 +23,12 @@ ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16 Init(src, dst, src_port, dst_port, proto, one_way); } +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" ConnKey::ConnKey(const ConnTuple& id) { Init(id.src_addr, id.dst_addr, id.src_port, id.dst_port, id.proto, id.is_one_way); } -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wdeprecated-declarations" ConnKey& ConnKey::operator=(const ConnKey& rhs) { if ( this == &rhs ) return *this; diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index fc73a468f7..006d2d34fb 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -807,9 +807,8 @@ TEST_SUITE("Analyzer management") { REQUIRE(zeek::analyzer_mgr); zeek::Packet p; - zeek::ConnTuple ct; zeek::IPBasedConnKeyPtr kp = std::make_unique(); - auto conn = std::make_unique(std::move(kp), ct, 0, 0, &p); + auto conn = std::make_unique(std::move(kp), 0, 0, &p); auto* tcp = new zeek::packet_analysis::TCP::TCPSessionAdapter(conn.get()); conn->SetSessionAdapter(tcp, nullptr); @@ -840,9 +839,8 @@ TEST_SUITE("Analyzer management") { REQUIRE(zeek::analyzer_mgr); zeek::Packet p; - zeek::ConnTuple ct; zeek::IPBasedConnKeyPtr kp = std::make_unique(); - auto conn = std::make_unique(std::move(kp), ct, 0, 0, &p); + auto conn = std::make_unique(std::move(kp), 0, 0, &p); auto ssh = zeek::analyzer_mgr->InstantiateAnalyzer("SSH", conn.get()); REQUIRE(ssh); diff --git a/src/analyzer/protocol/smtp/BDAT.cc b/src/analyzer/protocol/smtp/BDAT.cc index 56fe42f4bb..df86fbbc41 100644 --- a/src/analyzer/protocol/smtp/BDAT.cc +++ b/src/analyzer/protocol/smtp/BDAT.cc @@ -328,9 +328,8 @@ private: TEST_CASE("line forward testing") { zeek::Packet p; - zeek::ConnTuple ct; zeek::IPBasedConnKeyPtr kp = std::make_unique(); - auto conn = std::make_unique(std::move(kp), ct, 0, 0, &p); + auto conn = std::make_unique(std::move(kp), 0, 0, &p); auto smtp_analyzer = std::unique_ptr(zeek::analyzer_mgr->InstantiateAnalyzer("SMTP", conn.get())); auto mail = std::make_unique(smtp_analyzer.get()); diff --git a/src/packet_analysis/protocol/icmp/ICMP.cc b/src/packet_analysis/protocol/icmp/ICMP.cc index 5c40363acd..d1ba857801 100644 --- a/src/packet_analysis/protocol/icmp/ICMP.cc +++ b/src/packet_analysis/protocol/icmp/ICMP.cc @@ -28,24 +28,25 @@ SessionAdapter* ICMPAnalyzer::MakeSessionAdapter(Connection* conn) { return root; } -bool ICMPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) { +bool ICMPAnalyzer::InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) { if ( ! CheckHeaderTrunc(ICMP_MINLEN, len, packet) ) return false; - tuple.src_addr = packet->ip_hdr->SrcAddr(); - tuple.dst_addr = packet->ip_hdr->DstAddr(); - tuple.proto = packet->proto; - const struct icmp* icmpp = (const struct icmp*)data; - tuple.src_port = htons(icmpp->icmp_type); + + uint32_t icmp_counter_type = 0; + bool is_one_way = false; if ( packet->proto == IPPROTO_ICMP ) - tuple.dst_port = htons(ICMP4_counterpart(icmpp->icmp_type, icmpp->icmp_code, tuple.is_one_way)); + icmp_counter_type = ICMP4_counterpart(icmpp->icmp_type, icmpp->icmp_code, is_one_way); else if ( packet->proto == IPPROTO_ICMPV6 ) - tuple.dst_port = htons(ICMP6_counterpart(icmpp->icmp_type, icmpp->icmp_code, tuple.is_one_way)); + icmp_counter_type = ICMP6_counterpart(icmpp->icmp_type, icmpp->icmp_code, is_one_way); else reporter->InternalError("Reached ICMP packet analyzer with unknown packet protocol %x", packet->proto); + key.InitTuple(packet->ip_hdr->SrcAddr(), htons(icmpp->icmp_type), packet->ip_hdr->DstAddr(), + htons(icmp_counter_type), packet->proto, is_one_way); + return true; } diff --git a/src/packet_analysis/protocol/icmp/ICMP.h b/src/packet_analysis/protocol/icmp/ICMP.h index 28c469937f..99dbf4248a 100644 --- a/src/packet_analysis/protocol/icmp/ICMP.h +++ b/src/packet_analysis/protocol/icmp/ICMP.h @@ -29,10 +29,7 @@ public: packet_analysis::IP::SessionAdapter* MakeSessionAdapter(Connection* conn) override; protected: - /** - * Parse the header from the packet into a ConnTuple object. - */ - bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) override; + bool InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) override; void DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) override; diff --git a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc index bfee8c3a04..9773d4817e 100644 --- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc +++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc @@ -24,10 +24,6 @@ IPBasedAnalyzer::~IPBasedAnalyzer() { } bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt) { - ConnTuple tuple; - if ( ! BuildConnTuple(len, data, pkt, tuple) ) - return false; - static IPBasedConnKeyPtr key; // Note, this is static for reuse: if ( ! key ) { ConnKeyPtr ck = conn_key_mgr->GetFactory().NewConnKey(); @@ -39,19 +35,28 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt key = IPBasedConnKeyPtr(static_cast(ck.release())); } - // Initialize the key with the IP conn tuple and the packet as additional context. - // - // Custom IPConnKey implementations can fiddle with the Key through - // the DoInit(const Packet& pkt) hook called at this point. - key->InitTuple(tuple); + // Deprecated: remove ConnTuple use in 8.1 and only use InitConnKey(). +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" + ConnTuple tuple; + if ( BuildConnTuple(len, data, pkt, tuple) ) { + key->InitTuple(tuple.src_addr, tuple.src_port, tuple.dst_addr, tuple.dst_port, pkt->proto); +#pragma GCC diagnostic pop + } + else if ( ! InitConnKey(len, data, pkt, *key) ) { + return false; + } + key->Init(*pkt); const std::shared_ptr& ip_hdr = pkt->ip_hdr; + auto src_addr = key->SrcAddr(); + auto src_port = key->SrcPort(); Connection* conn = session_mgr->FindConnection(*key); if ( ! conn ) { - conn = NewConn(tuple, std::move(key), pkt); + conn = NewConn(std::move(key), pkt); if ( conn ) session_mgr->Insert(conn, false); } @@ -60,7 +65,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt conn->Event(connection_reused, nullptr); session_mgr->Remove(conn); - conn = NewConn(tuple, std::move(key), pkt); + conn = NewConn(std::move(key), pkt); if ( conn ) session_mgr->Insert(conn, false); } @@ -76,7 +81,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt // get logged, which means we can mark this packet as having been processed. pkt->processed = true; - bool is_orig = (tuple.src_addr == conn->OrigAddr()) && (tuple.src_port == conn->OrigPort()); + bool is_orig = (src_addr == conn->OrigAddr()) && (src_port == conn->OrigPort()); pkt->is_orig = is_orig; conn->CheckFlowLabel(is_orig, ip_hdr->FlowLabel()); @@ -159,19 +164,18 @@ bool IPBasedAnalyzer::IsLikelyServerPort(uint32_t port) const { return port_cache.find(port) != port_cache.end(); } -zeek::Connection* IPBasedAnalyzer::NewConn(const ConnTuple& id, IPBasedConnKeyPtr key, const Packet* pkt) { - int src_h = ntohs(id.src_port); - int dst_h = ntohs(id.dst_port); +zeek::Connection* IPBasedAnalyzer::NewConn(IPBasedConnKeyPtr key, const Packet* pkt) { + auto src_p = ntohs(key->SrcPort()); + auto dst_p = ntohs(key->DstPort()); bool flip = false; - if ( ! WantConnection(src_h, dst_h, pkt->ip_hdr->Payload(), flip) ) + if ( ! WantConnection(src_p, dst_p, pkt->ip_hdr->Payload(), flip) ) return nullptr; - Connection* conn = - new Connection(std::move(key), id, run_state::processing_start_time, pkt->ip_hdr->FlowLabel(), pkt); + Connection* conn = new Connection(std::move(key), run_state::processing_start_time, pkt->ip_hdr->FlowLabel(), pkt); conn->SetTransport(transport); - if ( flip && ! id.dst_addr.IsBroadcast() ) + if ( flip && ! conn->RespAddr().IsBroadcast() ) conn->FlipRoles(); BuildSessionAnalyzerTree(conn); diff --git a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h index ecaaa0970a..bdbf672993 100644 --- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h +++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h @@ -98,10 +98,29 @@ protected: */ IPBasedAnalyzer(const char* name, TransportProto proto, uint32_t mask, bool report_unknown_protocols); + /** + * Initialize the given ConnKey from the packet header & data. + * + * @param len Remaining length of data. + * @param data Remaining packet data. + * @param packet The packet being processed. + * @param key The ConnKey instance to initialize. + * + * @return True if initialization succeeded, false otherwise (e.g. because + * there wasn't enough data available). + */ + virtual bool InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) { + // Given deprecation of BuildConnTuple below, make this pure virtual in 8.1. + return false; + } + /** * Parse the header from the packet into a ConnTuple object. */ - virtual bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) = 0; + [[deprecated("Remove in v8.1. Switch to InitConnKey() and key-only initialization.")]] + virtual bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) { + return false; + } /** * Continues process of packet after the connection has been inserted into the @@ -180,12 +199,10 @@ private: /** * Creates a new Connection object from data gleaned from the current packet. * - * @param id A connection ID generated from the packet data. This should have been - * passed in from a child analyzer. - * @param key A connection ID key generated from the ID. - * @param pkt The packet associated with the new connection. + * @param key A ConnKey with common 5-tuple information. + * @param pkt The packet associated with the new connection, for additional connection info. */ - zeek::Connection* NewConn(const ConnTuple& id, IPBasedConnKeyPtr key, const Packet* pkt); + zeek::Connection* NewConn(IPBasedConnKeyPtr key, const Packet* pkt); void BuildSessionAnalyzerTree(Connection* conn); diff --git a/src/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.cc b/src/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.cc index ca4ac01e5e..49a44f9492 100644 --- a/src/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.cc +++ b/src/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.cc @@ -1,3 +1,30 @@ // See the file "COPYING" in the main distribution directory for copyright. #include "zeek/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h" + +#include "zeek/Conn.h" + +using namespace zeek; +using namespace zeek::packet_analysis::IP; + +void IPBasedConnKey::InitTuple(const IPAddr& src_addr, uint32_t src_port, const IPAddr& dst_addr, uint32_t dst_port, + uint16_t proto, bool is_one_way) { + auto& tuple = PackedTuple(); + + if ( is_one_way || addr_port_canon_lt(src_addr, src_port, dst_addr, dst_port) ) { + src_addr.CopyIPv6(&tuple.ip1); + dst_addr.CopyIPv6(&tuple.ip2); + tuple.port1 = src_port; + tuple.port2 = dst_port; + flipped = false; + } + else { + dst_addr.CopyIPv6(&tuple.ip1); + src_addr.CopyIPv6(&tuple.ip2); + tuple.port1 = dst_port; + tuple.port2 = src_port; + flipped = true; + } + + tuple.proto = proto; +} diff --git a/src/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h b/src/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h index 4202b3420d..06e4e440cc 100644 --- a/src/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h +++ b/src/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h @@ -34,7 +34,34 @@ struct PackedConnTuple { */ class IPBasedConnKey : public zeek::ConnKey { public: - void InitTuple(const ConnTuple& ct) { InitPackedTuple(ct); } + /** + * Initializes the key to the given 5-tuple. This canonicalizes the + * packed tuple storage, including potential endpoint flips for + * consistent connection lookups regardless of directionality. + */ + void InitTuple(const IPAddr& src_addr, uint32_t src_port, const IPAddr& dst_addr, uint32_t dst_port, uint16_t proto, + bool is_one_way = false); + + /** + * The source address the key got initialized with. + */ + IPAddr SrcAddr() const { return flipped ? IPAddr(PackedTuple().ip2) : IPAddr(PackedTuple().ip1); } + /** + * The destination address the key got initialized with. + */ + IPAddr DstAddr() const { return flipped ? IPAddr(PackedTuple().ip1) : IPAddr(PackedTuple().ip2); } + /** + * The source port the key got initialized with. + */ + uint16_t SrcPort() const { return flipped ? PackedTuple().port2 : PackedTuple().port1; } + /** + * The destination port the key got initialized with. + */ + uint16_t DstPort() const { return flipped ? PackedTuple().port1 : PackedTuple().port2; } + /** + * The IP protocol the key got initialized with. + */ + uint16_t Proto() const { return PackedTuple().proto; } /** * Return a modifiable reference to the embedded PackedConnTuple. @@ -56,28 +83,8 @@ public: */ virtual const detail::PackedConnTuple& PackedTuple() const = 0; -private: - /** - * Initialize a packed tuple from a ConnTuple instance. - */ - void InitPackedTuple(const ConnTuple& ct) { - auto& tuple = PackedTuple(); - - if ( ct.is_one_way || addr_port_canon_lt(ct.src_addr, ct.src_port, ct.dst_addr, ct.dst_port) ) { - ct.src_addr.CopyIPv6(&tuple.ip1); - ct.dst_addr.CopyIPv6(&tuple.ip2); - tuple.port1 = ct.src_port; - tuple.port2 = ct.dst_port; - } - else { - ct.dst_addr.CopyIPv6(&tuple.ip1); - ct.src_addr.CopyIPv6(&tuple.ip2); - tuple.port1 = ct.dst_port; - tuple.port2 = ct.src_port; - } - - tuple.proto = ct.proto; - } +protected: + bool flipped = false; }; using IPBasedConnKeyPtr = std::unique_ptr; diff --git a/src/packet_analysis/protocol/ip/conn_key/fivetuple/Factory.cc b/src/packet_analysis/protocol/ip/conn_key/fivetuple/Factory.cc index fbda9443d0..47dd7e3c78 100644 --- a/src/packet_analysis/protocol/ip/conn_key/fivetuple/Factory.cc +++ b/src/packet_analysis/protocol/ip/conn_key/fivetuple/Factory.cc @@ -65,7 +65,7 @@ zeek::expected Factory::DoConnKeyFromVal(const ze "invalid connection ID record encountered: the proto field has the \"unknown\" 65535 value. " "Did you forget to set it?"); - ick->InitTuple(ConnTuple{orig_addr, resp_addr, htons(orig_portv->Port()), htons(resp_portv->Port()), proto16_t}); + ick->InitTuple(orig_addr, htons(orig_portv->Port()), resp_addr, htons(resp_portv->Port()), proto16_t); // Asserting here on the absence of errors can fail btests. diff --git a/src/packet_analysis/protocol/tcp/TCP.cc b/src/packet_analysis/protocol/tcp/TCP.cc index 0b78967a89..8780f58e86 100644 --- a/src/packet_analysis/protocol/tcp/TCP.cc +++ b/src/packet_analysis/protocol/tcp/TCP.cc @@ -26,21 +26,13 @@ SessionAdapter* TCPAnalyzer::MakeSessionAdapter(Connection* conn) { zeek::analyzer::pia::PIA* TCPAnalyzer::MakePIA(Connection* conn) { return new analyzer::pia::PIA_TCP(conn); } -bool TCPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) { +bool TCPAnalyzer::InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) { uint32_t min_hdr_len = sizeof(struct tcphdr); if ( ! CheckHeaderTrunc(min_hdr_len, len, packet) ) return false; - tuple.src_addr = packet->ip_hdr->SrcAddr(); - tuple.dst_addr = packet->ip_hdr->DstAddr(); - - data = packet->ip_hdr->Payload(); - - const struct tcphdr* tp = (const struct tcphdr*)data; - tuple.src_port = tp->th_sport; - tuple.dst_port = tp->th_dport; - tuple.is_one_way = false; - tuple.proto = packet->proto; + const struct tcphdr* tp = (const struct tcphdr*)packet->ip_hdr->Payload(); + key.InitTuple(packet->ip_hdr->SrcAddr(), tp->th_sport, packet->ip_hdr->DstAddr(), tp->th_dport, packet->proto); return true; } diff --git a/src/packet_analysis/protocol/tcp/TCP.h b/src/packet_analysis/protocol/tcp/TCP.h index f946e55e9c..531fd46b3b 100644 --- a/src/packet_analysis/protocol/tcp/TCP.h +++ b/src/packet_analysis/protocol/tcp/TCP.h @@ -35,10 +35,7 @@ public: } protected: - /** - * Parse the header from the packet into a ConnTuple object. - */ - bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) override; + bool InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) override; void DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) override; diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc index 4e6f549de1..bebfabd3fb 100644 --- a/src/packet_analysis/protocol/udp/UDP.cc +++ b/src/packet_analysis/protocol/udp/UDP.cc @@ -53,19 +53,13 @@ bool UDPAnalyzer::WantConnection(uint16_t src_port, uint16_t dst_port, const u_c return true; } -bool UDPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) { +bool UDPAnalyzer::InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) { uint32_t min_hdr_len = sizeof(struct udphdr); if ( ! CheckHeaderTrunc(min_hdr_len, len, packet) ) return false; - tuple.src_addr = packet->ip_hdr->SrcAddr(); - tuple.dst_addr = packet->ip_hdr->DstAddr(); - const struct udphdr* up = (const struct udphdr*)packet->ip_hdr->Payload(); - tuple.src_port = up->uh_sport; - tuple.dst_port = up->uh_dport; - tuple.is_one_way = false; - tuple.proto = packet->proto; + key.InitTuple(packet->ip_hdr->SrcAddr(), up->uh_sport, packet->ip_hdr->DstAddr(), up->uh_dport, packet->proto); return true; } diff --git a/src/packet_analysis/protocol/udp/UDP.h b/src/packet_analysis/protocol/udp/UDP.h index fb53240838..2623ab0a5b 100644 --- a/src/packet_analysis/protocol/udp/UDP.h +++ b/src/packet_analysis/protocol/udp/UDP.h @@ -24,10 +24,7 @@ public: void Initialize() override; protected: - /** - * Parse the header from the packet into a ConnTuple object. - */ - bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) override; + bool InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) override; void DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) override; diff --git a/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.cc b/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.cc index ffe29cddb0..eea34dc8dc 100644 --- a/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.cc +++ b/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.cc @@ -33,10 +33,8 @@ SessionAdapter* UnknownIPTransportAnalyzer::MakeSessionAdapter(Connection* conn) return root; } -bool UnknownIPTransportAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) { - tuple.src_addr = packet->ip_hdr->SrcAddr(); - tuple.dst_addr = packet->ip_hdr->DstAddr(); - tuple.proto = packet->proto; +bool UnknownIPTransportAnalyzer::InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) { + key.InitTuple(packet->ip_hdr->SrcAddr(), 0, packet->ip_hdr->DstAddr(), 0, packet->proto); return true; } diff --git a/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.h b/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.h index bd06177dfa..bd3c577a33 100644 --- a/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.h +++ b/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.h @@ -23,10 +23,7 @@ public: packet_analysis::IP::SessionAdapter* MakeSessionAdapter(Connection* conn) override; protected: - /** - * Parse the header from the packet into a ConnTuple object. - */ - bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) override; + bool InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) override; void DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) override; };