Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 04:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge of Gregor's conn-size branch.

Browse source 
If 'use_conn_size_analyzer' is true, the event engine tracks number of
packets and raw IP bytes per connection. If report_conn_size_analyzer
is true, these values are included as four new columns into conn.log

I changed conn.bro so that the value of report_conn_size_analyzer
follows that of use_conn_size_analyzer. For the new conn.log, we
probably want to get rid of report_conn_size_analyzer anyway.
This commit is contained in:
Robin Sommer 2011-05-09 16:39:01 -07:00
parent 7524cce186
commit bd9855a380
26 changed files with 340 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/ICMP.cc
View file

@ -79,6 +79,9 @@ void ICMP_Analyzer::DeliverPacket(int arg_len, const u_char* data,
NextICMP(current_timestamp, icmpp, len, caplen, data);
if ( caplen >= len )
ForwardPacket(len, data, is_orig, seq, ip, caplen);
if ( rule_matcher )
matcher_state.Match(Rule::PAYLOAD, data, len, is_orig,
false, false, true);
@ -252,6 +255,20 @@ void ICMP_Analyzer::Describe(ODesc* d) const
d->Add(dotted_addr(Conn()->RespAddr()));
}
void ICMP_Analyzer::UpdateConnVal(RecordVal *conn_val)
{
int orig_endp_idx = connection_type->FieldOffset("orig");
int resp_endp_idx = connection_type->FieldOffset("resp");
RecordVal *orig_endp = conn_val->Lookup(orig_endp_idx)->AsRecordVal();
RecordVal *resp_endp = conn_val->Lookup(resp_endp_idx)->AsRecordVal();
UpdateEndpointVal(orig_endp, 1);
UpdateEndpointVal(resp_endp, 0);
// Call children's UpdateConnVal
Analyzer::UpdateConnVal(conn_val);
}
void ICMP_Analyzer::UpdateEndpointVal(RecordVal* endp, int is_orig)
{
Conn()->EnableStatusUpdateTimer();