Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 04:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge of Gregor's conn-size branch.

Browse source 
If 'use_conn_size_analyzer' is true, the event engine tracks number of
packets and raw IP bytes per connection. If report_conn_size_analyzer
is true, these values are included as four new columns into conn.log

I changed conn.bro so that the value of report_conn_size_analyzer
follows that of use_conn_size_analyzer. For the new conn.log, we
probably want to get rid of report_conn_size_analyzer anyway.
This commit is contained in:
Robin Sommer 2011-05-09 16:39:01 -07:00
parent 7524cce186
commit bd9855a380
26 changed files with 340 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

20
src/Conn.cc
View file

@ -152,7 +152,6 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id)
proto = TRANSPORT_UNKNOWN;
conn_val = 0;
orig_endp = resp_endp = 0;
login_conn = 0;
is_active = 1;
@ -401,12 +400,12 @@ RecordVal* Connection::BuildConnVal()
conn_val->Assign(0, id_val);
orig_endp = new RecordVal(endpoint);
RecordVal *orig_endp = new RecordVal(endpoint);
orig_endp->Assign(0, new Val(0, TYPE_COUNT));
orig_endp->Assign(1, new Val(0, TYPE_COUNT));
conn_val->Assign(1, orig_endp);
resp_endp = new RecordVal(endpoint);
RecordVal *resp_endp = new RecordVal(endpoint);
resp_endp->Assign(0, new Val(0, TYPE_COUNT));
resp_endp->Assign(1, new Val(0, TYPE_COUNT));
conn_val->Assign(2, resp_endp);
@ -425,10 +424,7 @@ RecordVal* Connection::BuildConnVal()
}
if ( root_analyzer )
{
root_analyzer->UpdateEndpointVal(orig_endp, 1);
root_analyzer->UpdateEndpointVal(resp_endp, 0);
}
root_analyzer->UpdateConnVal(conn_val);
conn_val->Assign(3, new Val(start_time, TYPE_TIME)); // ###
conn_val->Assign(4, new Val(last_time - start_time, TYPE_INTERVAL));
@ -803,10 +799,6 @@ void Connection::FlipRoles()
resp_port = orig_port;
orig_port = tmp_port;
RecordVal* tmp_rc = resp_endp;
resp_endp = orig_endp;
orig_endp = tmp_rc;
Unref(conn_val);
conn_val = 0;
@ -902,8 +894,6 @@ bool Connection::DoSerialize(SerialInfo* info) const
return false;
SERIALIZE_OPTIONAL(conn_val);
SERIALIZE_OPTIONAL(orig_endp);
SERIALIZE_OPTIONAL(resp_endp);
// FIXME: RuleEndpointState not yet serializable.
// FIXME: Analyzers not yet serializable.
@ -967,10 +957,6 @@ bool Connection::DoUnserialize(UnserialInfo* info)
UNSERIALIZE_OPTIONAL(conn_val,
(RecordVal*) Val::Unserialize(info, connection_type));
UNSERIALIZE_OPTIONAL(orig_endp,
(RecordVal*) Val::Unserialize(info, endpoint));
UNSERIALIZE_OPTIONAL(resp_endp,
(RecordVal*) Val::Unserialize(info, endpoint));
int iproto;