Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add TSval and TSecr to TCPSyn

Browse source
This commit is contained in:
gpotter2 2021-09-11 16:08:02 +02:00
parent a05b14711f
commit d4db9bf6d0
3 changed files with 22 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

15
src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
View file

@ -331,6 +331,8 @@ static zeek::RecordValPtr build_syn_packet_val(bool is_orig, const zeek::IP_Hdr*
int winscale = -1;
int MSS = 0;
int SACK = 0;
int64_t TSval = -1;
int64_t TSecr = -1;
// Parse TCP options.
u_char* options = (u_char*)tcp + sizeof(struct tcphdr);
@ -384,6 +386,14 @@ static zeek::RecordValPtr build_syn_packet_val(bool is_orig, const zeek::IP_Hdr*
winscale = options[2];
break;
case 8: // TCPOPT_TIMESTAMP
if (opt_len < 10 )
break; // bad length
TSval = (((((options[2] << 8) | options[3]) << 8) | options[4]) << 8) | options[5];
TSecr = (((((options[6] << 8) | options[7]) << 8) | options[8]) << 8) | options[9];
break;
default: // just skip over
break;
}
@ -402,7 +412,10 @@ static zeek::RecordValPtr build_syn_packet_val(bool is_orig, const zeek::IP_Hdr*
v->Assign(5, winscale);
v->Assign(6, MSS);
v->Assign(7, static_cast<bool>(SACK));
if(TSval >= 0)
v->Assign(8, (uint32_t) TSval);
if(TSval >= 0)
v->Assign(9, (uint32_t) TSecr);
return v;
}