diff --git a/CHANGES b/CHANGES index e740d60b25..bf2cc62906 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,10 @@ +7.2.0-dev.212 | 2025-02-20 16:40:19 -0700 + + * Set original/outer packet flags to reflect inner packet results (mnhsrj) + + Propagate inner packet flags such as 'processed', 'dump_packet', 'dump_size' + to outer packet for packets involving tunneled data. + 7.2.0-dev.210 | 2025-02-20 15:35:21 -0700 * Also trim trailing spaces in `to_count`/`to_int` inputs (Benjamin Bannier, Corelight) diff --git a/VERSION b/VERSION index 1204c0ebf3..8e055fc23d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.2.0-dev.210 +7.2.0-dev.212 diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 5c5e7c631c..d8428ba00f 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -46,6 +46,7 @@ void Packet::Init(int arg_link_type, pkt_timeval* arg_ts, uint32_t arg_caplen, u data = arg_data; dump_packet = false; + dump_size = 0; time = ts.tv_sec + double(ts.tv_usec) / 1e6; eth_type = 0; diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc index e7ac1b3cc1..5f430affc3 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc @@ -78,7 +78,7 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa /** * Handles a packet that contains an IP header directly after the tunnel header. */ -bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, const std::shared_ptr& inner, +bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, Packet* pkt, const std::shared_ptr& inner, std::shared_ptr prev, const EncapsulatingConn& ec) { uint32_t caplen, len; @@ -113,13 +113,18 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, co // Forward the packet back to the IP analyzer. bool return_val = ForwardPacket(len, data, &p); + // Propagate the flags from fake inner packet to outer packet + pkt->processed = p.processed; + pkt->dump_packet = p.dump_packet; + pkt->dump_size = (p.dump_size > 0) ? static_cast(data - pkt->data) + p.dump_size : p.dump_size; + return return_val; } /** * Handles a packet that contains a physical-layer header after the tunnel header. */ -bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, uint32_t caplen, uint32_t len, +bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, Packet* pkt, uint32_t caplen, uint32_t len, const u_char* data, int link_type, std::shared_ptr prev, const EncapsulatingConn& ec) { @@ -145,6 +150,11 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, ui // to the packet manager. bool return_val = packet_mgr->ProcessInnerPacket(&p); + // Propagate the flags from fake inner packet to outer packet + pkt->processed = p.processed; + pkt->dump_packet = p.dump_packet; + pkt->dump_size = (p.dump_size > 0) ? static_cast(data - pkt->data) + p.dump_size : p.dump_size; + return return_val; } diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.h b/src/packet_analysis/protocol/iptunnel/IPTunnel.h index e1e5510311..eea410e27d 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.h +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.h @@ -37,7 +37,7 @@ public: * the most-recently found depth of encapsulation. * @param ec The most-recently found depth of encapsulation. */ - bool ProcessEncapsulatedPacket(double t, const Packet* pkt, const std::shared_ptr& inner, + bool ProcessEncapsulatedPacket(double t, Packet* pkt, const std::shared_ptr& inner, std::shared_ptr prev, const EncapsulatingConn& ec); /** @@ -56,7 +56,7 @@ public: * including the most-recently found depth of encapsulation. * @param ec The most-recently found depth of encapsulation. */ - bool ProcessEncapsulatedPacket(double t, const Packet* pkt, uint32_t caplen, uint32_t len, const u_char* data, + bool ProcessEncapsulatedPacket(double t, Packet* pkt, uint32_t caplen, uint32_t len, const u_char* data, int link_type, std::shared_ptr prev, const EncapsulatingConn& ec);