Deprecate ConnTuple and related APIs.

Given IP-aware ConnKeys, ConnTuples aren't really required any more. ConnTuple
had two benefits:

- It preserved the original src/dst orientation from the packet headers it was
based on, which IPBasedConnKey now tracks and provides accessor methods for.

- In IPBasedAnalyzer::AnalyzePacket() its instance survived past the std:move()
of the key into NewConn(), which we sidestep by keeping the original src address
and port around until we need after the connection is obtained.

src/Conn.cc

@@ -23,15 +23,15 @@ namespace zeek {
 uint64_t Connection::total_connections = 0;
 uint64_t Connection::current_connections = 0;
 
-Connection::Connection(zeek::IPBasedConnKeyPtr k, const zeek::ConnTuple& ct, double t, uint32_t flow, const Packet* pkt)
+Connection::Connection(zeek::IPBasedConnKeyPtr k, double t, uint32_t flow, const Packet* pkt)
     : Session(t, connection_timeout, connection_status_update, detail::connection_status_update_interval),
       key(std::move(k)) {
-    orig_addr = ct.src_addr;
+    orig_addr = key->SrcAddr();
-    resp_addr = ct.dst_addr;
+    resp_addr = key->DstAddr();
-    orig_port = ct.src_port;
+    orig_port = key->SrcPort();
-    resp_port = ct.dst_port;
+    resp_port = key->DstPort();
 
-    switch ( ct.proto ) {
+    switch ( key->Proto() ) {
         case IPPROTO_TCP: proto = TRANSPORT_TCP; break;
         case IPPROTO_UDP: proto = TRANSPORT_UDP; break;
         case IPPROTO_ICMP:
@@ -60,7 +60,7 @@ Connection::Connection(const detail::ConnKey& k, double t, const ConnTuple* id,
     }
 
     key = std::make_unique<zeek::IPConnKey>();
-    key->InitTuple(*id);
+    key->InitTuple(id->src_addr, id->src_port, id->dst_addr, id->dst_port, id->proto, id->is_one_way);
     key->Init(*pkt);
 
     Init(flow, pkt);

src/Conn.h

@@ -53,13 +53,19 @@ enum ConnEventToFlag : uint8_t {
     NUM_EVENTS_TO_FLAG,
 };
 
+// Deprecated without replacement: remove in v8.1.
+// XXX using [[deprecated]] for the whole struct leads to hard errors on FreeBSD/MacOS.
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 struct ConnTuple {
-    IPAddr src_addr;
+#pragma GCC diagnostic pop
-    IPAddr dst_addr;
+    [[deprecated("Remove in v8.1: Switch to new conn_key framework")]] IPAddr src_addr;
-    uint32_t src_port = 0;
+    [[deprecated("Remove in v8.1: Switch to new conn_key framework")]] IPAddr dst_addr;
-    uint32_t dst_port = 0;
+    [[deprecated("Remove in v8.1: Switch to new conn_key framework")]] uint32_t src_port = 0;
-    uint16_t proto = UNKNOWN_IP_PROTO;
+    [[deprecated("Remove in v8.1: Switch to new conn_key framework")]] uint32_t dst_port = 0;
-    bool is_one_way = false; // if true, don't canonicalize order
+    [[deprecated("Remove in v8.1: Switch to new conn_key framework")]] uint16_t proto = UNKNOWN_IP_PROTO;
+    [[deprecated("Remove in v8.1: Switch to new conn_key framework")]] bool is_one_way =
+        false; // if true, don't canonicalize order
 };
 
 static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPAddr& addr2, uint32_t p2) {
@@ -68,7 +74,7 @@ static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPA
 
 class Connection final : public session::Session {
 public:
-    Connection(zeek::IPBasedConnKeyPtr k, const zeek::ConnTuple& ct, double t, uint32_t flow, const Packet* pkt);
+    Connection(zeek::IPBasedConnKeyPtr k, double t, uint32_t flow, const Packet* pkt);
 
     [[deprecated("Remove in v8.1. Switch to ConnKey factories and the new zeek::ConnKey tree.")]]
     Connection(const detail::ConnKey& k, double t, const ConnTuple* id, uint32_t flow, const Packet* pkt);

src/IPAddr.cc

@@ -23,12 +23,12 @@ ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16
     Init(src, dst, src_port, dst_port, proto, one_way);
 }
 
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 ConnKey::ConnKey(const ConnTuple& id) {
     Init(id.src_addr, id.dst_addr, id.src_port, id.dst_port, id.proto, id.is_one_way);
 }
 
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 ConnKey& ConnKey::operator=(const ConnKey& rhs) {
     if ( this == &rhs )
         return *this;

src/analyzer/Analyzer.cc

@@ -807,9 +807,8 @@ TEST_SUITE("Analyzer management") {
         REQUIRE(zeek::analyzer_mgr);
 
         zeek::Packet p;
-        zeek::ConnTuple ct;
         zeek::IPBasedConnKeyPtr kp = std::make_unique<zeek::IPConnKey>();
-        auto conn = std::make_unique<zeek::Connection>(std::move(kp), ct, 0, 0, &p);
+        auto conn = std::make_unique<zeek::Connection>(std::move(kp), 0, 0, &p);
         auto* tcp = new zeek::packet_analysis::TCP::TCPSessionAdapter(conn.get());
         conn->SetSessionAdapter(tcp, nullptr);
 
@@ -840,9 +839,8 @@ TEST_SUITE("Analyzer management") {
         REQUIRE(zeek::analyzer_mgr);
 
         zeek::Packet p;
-        zeek::ConnTuple ct;
         zeek::IPBasedConnKeyPtr kp = std::make_unique<zeek::IPConnKey>();
-        auto conn = std::make_unique<zeek::Connection>(std::move(kp), ct, 0, 0, &p);
+        auto conn = std::make_unique<zeek::Connection>(std::move(kp), 0, 0, &p);
 
         auto ssh = zeek::analyzer_mgr->InstantiateAnalyzer("SSH", conn.get());
         REQUIRE(ssh);

src/analyzer/protocol/smtp/BDAT.cc

@@ -328,9 +328,8 @@ private:
 
 TEST_CASE("line forward testing") {
     zeek::Packet p;
-    zeek::ConnTuple ct;
     zeek::IPBasedConnKeyPtr kp = std::make_unique<zeek::IPConnKey>();
-    auto conn = std::make_unique<zeek::Connection>(std::move(kp), ct, 0, 0, &p);
+    auto conn = std::make_unique<zeek::Connection>(std::move(kp), 0, 0, &p);
     auto smtp_analyzer =
         std::unique_ptr<zeek::analyzer::Analyzer>(zeek::analyzer_mgr->InstantiateAnalyzer("SMTP", conn.get()));
     auto mail = std::make_unique<Test_MIME_Message>(smtp_analyzer.get());

src/packet_analysis/protocol/icmp/ICMP.cc

@@ -28,24 +28,25 @@ SessionAdapter* ICMPAnalyzer::MakeSessionAdapter(Connection* conn) {
     return root;
 }
 
-bool ICMPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) {
+bool ICMPAnalyzer::InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) {
     if ( ! CheckHeaderTrunc(ICMP_MINLEN, len, packet) )
         return false;
 
-    tuple.src_addr = packet->ip_hdr->SrcAddr();
-    tuple.dst_addr = packet->ip_hdr->DstAddr();
-    tuple.proto = packet->proto;
-
     const struct icmp* icmpp = (const struct icmp*)data;
-    tuple.src_port = htons(icmpp->icmp_type);
+
+    uint32_t icmp_counter_type = 0;
+    bool is_one_way = false;
 
     if ( packet->proto == IPPROTO_ICMP )
-        tuple.dst_port = htons(ICMP4_counterpart(icmpp->icmp_type, icmpp->icmp_code, tuple.is_one_way));
+        icmp_counter_type = ICMP4_counterpart(icmpp->icmp_type, icmpp->icmp_code, is_one_way);
     else if ( packet->proto == IPPROTO_ICMPV6 )
-        tuple.dst_port = htons(ICMP6_counterpart(icmpp->icmp_type, icmpp->icmp_code, tuple.is_one_way));
+        icmp_counter_type = ICMP6_counterpart(icmpp->icmp_type, icmpp->icmp_code, is_one_way);
     else
         reporter->InternalError("Reached ICMP packet analyzer with unknown packet protocol %x", packet->proto);
 
+    key.InitTuple(packet->ip_hdr->SrcAddr(), htons(icmpp->icmp_type), packet->ip_hdr->DstAddr(),
+                  htons(icmp_counter_type), packet->proto, is_one_way);
+
     return true;
 }
 

src/packet_analysis/protocol/icmp/ICMP.h

@@ -29,10 +29,7 @@ public:
     packet_analysis::IP::SessionAdapter* MakeSessionAdapter(Connection* conn) override;
 
 protected:
-    /**
+    bool InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) override;
-     * Parse the header from the packet into a ConnTuple object.
-     */
-    bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) override;
 
     void DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) override;
 

src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc

@@ -24,10 +24,6 @@ IPBasedAnalyzer::~IPBasedAnalyzer() {
 }
 
 bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt) {
-    ConnTuple tuple;
-    if ( ! BuildConnTuple(len, data, pkt, tuple) )
-        return false;
-
     static IPBasedConnKeyPtr key; // Note, this is static for reuse:
     if ( ! key ) {
         ConnKeyPtr ck = conn_key_mgr->GetFactory().NewConnKey();
@@ -39,19 +35,28 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
         key = IPBasedConnKeyPtr(static_cast<IPBasedConnKey*>(ck.release()));
     }
 
-    // Initialize the key with the IP conn tuple and the packet as additional context.
+    // Deprecated: remove ConnTuple use in 8.1 and only use InitConnKey().
-    //
+#pragma GCC diagnostic push
-    // Custom IPConnKey implementations can fiddle with the Key through
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-    // the DoInit(const Packet& pkt) hook called at this point.
+    ConnTuple tuple;
-    key->InitTuple(tuple);
+    if ( BuildConnTuple(len, data, pkt, tuple) ) {
+        key->InitTuple(tuple.src_addr, tuple.src_port, tuple.dst_addr, tuple.dst_port, pkt->proto);
+#pragma GCC diagnostic pop
+    }
+    else if ( ! InitConnKey(len, data, pkt, *key) ) {
+        return false;
+    }
+
     key->Init(*pkt);
 
     const std::shared_ptr<IP_Hdr>& ip_hdr = pkt->ip_hdr;
+    auto src_addr = key->SrcAddr();
+    auto src_port = key->SrcPort();
 
     Connection* conn = session_mgr->FindConnection(*key);
 
     if ( ! conn ) {
-        conn = NewConn(tuple, std::move(key), pkt);
+        conn = NewConn(std::move(key), pkt);
         if ( conn )
             session_mgr->Insert(conn, false);
     }
@@ -60,7 +65,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
             conn->Event(connection_reused, nullptr);
 
             session_mgr->Remove(conn);
-            conn = NewConn(tuple, std::move(key), pkt);
+            conn = NewConn(std::move(key), pkt);
             if ( conn )
                 session_mgr->Insert(conn, false);
         }
@@ -76,7 +81,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
     // get logged, which means we can mark this packet as having been processed.
     pkt->processed = true;
 
-    bool is_orig = (tuple.src_addr == conn->OrigAddr()) && (tuple.src_port == conn->OrigPort());
+    bool is_orig = (src_addr == conn->OrigAddr()) && (src_port == conn->OrigPort());
     pkt->is_orig = is_orig;
 
     conn->CheckFlowLabel(is_orig, ip_hdr->FlowLabel());
@@ -159,19 +164,18 @@ bool IPBasedAnalyzer::IsLikelyServerPort(uint32_t port) const {
     return port_cache.find(port) != port_cache.end();
 }
 
-zeek::Connection* IPBasedAnalyzer::NewConn(const ConnTuple& id, IPBasedConnKeyPtr key, const Packet* pkt) {
+zeek::Connection* IPBasedAnalyzer::NewConn(IPBasedConnKeyPtr key, const Packet* pkt) {
-    int src_h = ntohs(id.src_port);
+    auto src_p = ntohs(key->SrcPort());
-    int dst_h = ntohs(id.dst_port);
+    auto dst_p = ntohs(key->DstPort());
     bool flip = false;
 
-    if ( ! WantConnection(src_h, dst_h, pkt->ip_hdr->Payload(), flip) )
+    if ( ! WantConnection(src_p, dst_p, pkt->ip_hdr->Payload(), flip) )
         return nullptr;
 
-    Connection* conn =
+    Connection* conn = new Connection(std::move(key), run_state::processing_start_time, pkt->ip_hdr->FlowLabel(), pkt);
-        new Connection(std::move(key), id, run_state::processing_start_time, pkt->ip_hdr->FlowLabel(), pkt);
     conn->SetTransport(transport);
 
-    if ( flip && ! id.dst_addr.IsBroadcast() )
+    if ( flip && ! conn->RespAddr().IsBroadcast() )
         conn->FlipRoles();
 
     BuildSessionAnalyzerTree(conn);

src/packet_analysis/protocol/ip/IPBasedAnalyzer.h

@@ -98,10 +98,29 @@ protected:
      */
     IPBasedAnalyzer(const char* name, TransportProto proto, uint32_t mask, bool report_unknown_protocols);
 
+    /**
+     * Initialize the given ConnKey from the packet header & data.
+     *
+     * @param len Remaining length of data.
+     * @param data Remaining packet data.
+     * @param packet The packet being processed.
+     * @param key The ConnKey instance to initialize.
+     *
+     * @return True if initialization succeeded, false otherwise (e.g. because
+     * there wasn't enough data available).
+     */
+    virtual bool InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) {
+        // Given deprecation of BuildConnTuple below, make this pure virtual in 8.1.
+        return false;
+    }
+
     /**
      * Parse the header from the packet into a ConnTuple object.
      */
-    virtual bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) = 0;
+    [[deprecated("Remove in v8.1. Switch to InitConnKey() and key-only initialization.")]]
+    virtual bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) {
+        return false;
+    }
 
     /**
      * Continues process of packet after the connection has been inserted into the
@@ -180,12 +199,10 @@ private:
     /**
      * Creates a new Connection object from data gleaned from the current packet.
      *
-     * @param id A connection ID generated from the packet data. This should have been
+     * @param key A ConnKey with common 5-tuple information.
-     * passed in from a child analyzer.
+     * @param pkt The packet associated with the new connection, for additional connection info.
-     * @param key A connection ID key generated from the ID.
-     * @param pkt The packet associated with the new connection.
      */
-    zeek::Connection* NewConn(const ConnTuple& id, IPBasedConnKeyPtr key, const Packet* pkt);
+    zeek::Connection* NewConn(IPBasedConnKeyPtr key, const Packet* pkt);
 
     void BuildSessionAnalyzerTree(Connection* conn);
 

src/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.cc

@@ -1,3 +1,30 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h"
+
+#include "zeek/Conn.h"
+
+using namespace zeek;
+using namespace zeek::packet_analysis::IP;
+
+void IPBasedConnKey::InitTuple(const IPAddr& src_addr, uint32_t src_port, const IPAddr& dst_addr, uint32_t dst_port,
+                               uint16_t proto, bool is_one_way) {
+    auto& tuple = PackedTuple();
+
+    if ( is_one_way || addr_port_canon_lt(src_addr, src_port, dst_addr, dst_port) ) {
+        src_addr.CopyIPv6(&tuple.ip1);
+        dst_addr.CopyIPv6(&tuple.ip2);
+        tuple.port1 = src_port;
+        tuple.port2 = dst_port;
+        flipped = false;
+    }
+    else {
+        dst_addr.CopyIPv6(&tuple.ip1);
+        src_addr.CopyIPv6(&tuple.ip2);
+        tuple.port1 = dst_port;
+        tuple.port2 = src_port;
+        flipped = true;
+    }
+
+    tuple.proto = proto;
+}

src/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h

@@ -34,7 +34,34 @@ struct PackedConnTuple {
  */
 class IPBasedConnKey : public zeek::ConnKey {
 public:
-    void InitTuple(const ConnTuple& ct) { InitPackedTuple(ct); }
+    /**
+     * Initializes the key to the given 5-tuple. This canonicalizes the
+     * packed tuple storage, including potential endpoint flips for
+     * consistent connection lookups regardless of directionality.
+     */
+    void InitTuple(const IPAddr& src_addr, uint32_t src_port, const IPAddr& dst_addr, uint32_t dst_port, uint16_t proto,
+                   bool is_one_way = false);
+
+    /**
+     * The source address the key got initialized with.
+     */
+    IPAddr SrcAddr() const { return flipped ? IPAddr(PackedTuple().ip2) : IPAddr(PackedTuple().ip1); }
+    /**
+     * The destination address the key got initialized with.
+     */
+    IPAddr DstAddr() const { return flipped ? IPAddr(PackedTuple().ip1) : IPAddr(PackedTuple().ip2); }
+    /**
+     * The source port the key got initialized with.
+     */
+    uint16_t SrcPort() const { return flipped ? PackedTuple().port2 : PackedTuple().port1; }
+    /**
+     * The destination port the key got initialized with.
+     */
+    uint16_t DstPort() const { return flipped ? PackedTuple().port1 : PackedTuple().port2; }
+    /**
+     * The IP protocol the key got initialized with.
+     */
+    uint16_t Proto() const { return PackedTuple().proto; }
 
     /**
      * Return a modifiable reference to the embedded PackedConnTuple.
@@ -56,28 +83,8 @@ public:
      */
     virtual const detail::PackedConnTuple& PackedTuple() const = 0;
 
-private:
+protected:
-    /**
+    bool flipped = false;
-     * Initialize a packed tuple from a ConnTuple instance.
-     */
-    void InitPackedTuple(const ConnTuple& ct) {
-        auto& tuple = PackedTuple();
-
-        if ( ct.is_one_way || addr_port_canon_lt(ct.src_addr, ct.src_port, ct.dst_addr, ct.dst_port) ) {
-            ct.src_addr.CopyIPv6(&tuple.ip1);
-            ct.dst_addr.CopyIPv6(&tuple.ip2);
-            tuple.port1 = ct.src_port;
-            tuple.port2 = ct.dst_port;
-        }
-        else {
-            ct.dst_addr.CopyIPv6(&tuple.ip1);
-            ct.src_addr.CopyIPv6(&tuple.ip2);
-            tuple.port1 = ct.dst_port;
-            tuple.port2 = ct.src_port;
-        }
-
-        tuple.proto = ct.proto;
-    }
 };
 
 using IPBasedConnKeyPtr = std::unique_ptr<IPBasedConnKey>;

src/packet_analysis/protocol/ip/conn_key/fivetuple/Factory.cc

@@ -65,7 +65,7 @@ zeek::expected<zeek::ConnKeyPtr, std::string> Factory::DoConnKeyFromVal(const ze
             "invalid connection ID record encountered: the proto field has the \"unknown\" 65535 value. "
             "Did you forget to set it?");
 
-    ick->InitTuple(ConnTuple{orig_addr, resp_addr, htons(orig_portv->Port()), htons(resp_portv->Port()), proto16_t});
+    ick->InitTuple(orig_addr, htons(orig_portv->Port()), resp_addr, htons(resp_portv->Port()), proto16_t);
 
     // Asserting here on the absence of errors can fail btests.
 

src/packet_analysis/protocol/tcp/TCP.cc

@@ -26,21 +26,13 @@ SessionAdapter* TCPAnalyzer::MakeSessionAdapter(Connection* conn) {
 
 zeek::analyzer::pia::PIA* TCPAnalyzer::MakePIA(Connection* conn) { return new analyzer::pia::PIA_TCP(conn); }
 
-bool TCPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) {
+bool TCPAnalyzer::InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) {
     uint32_t min_hdr_len = sizeof(struct tcphdr);
     if ( ! CheckHeaderTrunc(min_hdr_len, len, packet) )
         return false;
 
-    tuple.src_addr = packet->ip_hdr->SrcAddr();
+    const struct tcphdr* tp = (const struct tcphdr*)packet->ip_hdr->Payload();
-    tuple.dst_addr = packet->ip_hdr->DstAddr();
+    key.InitTuple(packet->ip_hdr->SrcAddr(), tp->th_sport, packet->ip_hdr->DstAddr(), tp->th_dport, packet->proto);
-
-    data = packet->ip_hdr->Payload();
-
-    const struct tcphdr* tp = (const struct tcphdr*)data;
-    tuple.src_port = tp->th_sport;
-    tuple.dst_port = tp->th_dport;
-    tuple.is_one_way = false;
-    tuple.proto = packet->proto;
 
     return true;
 }

src/packet_analysis/protocol/tcp/TCP.h

@@ -35,10 +35,7 @@ public:
     }
 
 protected:
-    /**
+    bool InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) override;
-     * Parse the header from the packet into a ConnTuple object.
-     */
-    bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) override;
 
     void DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) override;
 

src/packet_analysis/protocol/udp/UDP.cc

@@ -53,19 +53,13 @@ bool UDPAnalyzer::WantConnection(uint16_t src_port, uint16_t dst_port, const u_c
     return true;
 }
 
-bool UDPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) {
+bool UDPAnalyzer::InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) {
     uint32_t min_hdr_len = sizeof(struct udphdr);
     if ( ! CheckHeaderTrunc(min_hdr_len, len, packet) )
         return false;
 
-    tuple.src_addr = packet->ip_hdr->SrcAddr();
-    tuple.dst_addr = packet->ip_hdr->DstAddr();
-
     const struct udphdr* up = (const struct udphdr*)packet->ip_hdr->Payload();
-    tuple.src_port = up->uh_sport;
+    key.InitTuple(packet->ip_hdr->SrcAddr(), up->uh_sport, packet->ip_hdr->DstAddr(), up->uh_dport, packet->proto);
-    tuple.dst_port = up->uh_dport;
-    tuple.is_one_way = false;
-    tuple.proto = packet->proto;
 
     return true;
 }

src/packet_analysis/protocol/udp/UDP.h

@@ -24,10 +24,7 @@ public:
     void Initialize() override;
 
 protected:
-    /**
+    bool InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) override;
-     * Parse the header from the packet into a ConnTuple object.
-     */
-    bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) override;
 
     void DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) override;
 

src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.cc

@@ -33,10 +33,8 @@ SessionAdapter* UnknownIPTransportAnalyzer::MakeSessionAdapter(Connection* conn)
     return root;
 }
 
-bool UnknownIPTransportAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) {
+bool UnknownIPTransportAnalyzer::InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) {
-    tuple.src_addr = packet->ip_hdr->SrcAddr();
+    key.InitTuple(packet->ip_hdr->SrcAddr(), 0, packet->ip_hdr->DstAddr(), 0, packet->proto);
-    tuple.dst_addr = packet->ip_hdr->DstAddr();
-    tuple.proto = packet->proto;
 
     return true;
 }

src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.h

@@ -23,10 +23,7 @@ public:
     packet_analysis::IP::SessionAdapter* MakeSessionAdapter(Connection* conn) override;
 
 protected:
-    /**
+    bool InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) override;
-     * Parse the header from the packet into a ConnTuple object.
-     */
-    bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) override;
 
     void DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) override;
 };