diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index 0705f8fb4e..c93a39a82e 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -18,6 +18,7 @@ using pkt_timeval = struct timeval; #include "zeek/IP.h" #include "zeek/NetVar.h" // For BifEnum::Tunnel #include "zeek/TunnelEncapsulation.h" +#include "zeek/session/Session.h" namespace zeek { @@ -172,29 +173,35 @@ public: /** * (Outermost) VLAN tag if any, else 0. */ - uint32_t vlan; + uint32_t vlan = 0; /** * (Innermost) VLAN tag if any, else 0. */ - uint32_t inner_vlan; + uint32_t inner_vlan = 0; + + /** + * If this packet is related to a connection, this flag denotes whether + * this packet is from the originator of the connection. + */ + bool is_orig = false; /** * Indicates whether the layer 2 checksum was validated by the * hardware/kernel before being received by zeek. */ - bool l2_checksummed; + bool l2_checksummed = false; /** * Indicates whether the layer 3 checksum was validated by the * hardware/kernel before being received by zeek. */ - bool l3_checksummed; + bool l3_checksummed = false; /** * Indicates whether this packet should be recorded. */ - mutable bool dump_packet; + mutable bool dump_packet = false; /** * Indicates the amount of data to be dumped. If only a header is needed, @@ -255,6 +262,11 @@ public: */ bool processed = false; + /** + * The session related to this packet, if one exists. + */ + session::Session* session = nullptr; + private: // Renders an MAC address into its ASCII representation. ValPtr FmtEUI48(const u_char* mac) const; diff --git a/src/packet_analysis/protocol/icmp/ICMP.cc b/src/packet_analysis/protocol/icmp/ICMP.cc index 468d7e11df..4b24d3be95 100644 --- a/src/packet_analysis/protocol/icmp/ICMP.cc +++ b/src/packet_analysis/protocol/icmp/ICMP.cc @@ -121,6 +121,10 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema return; } + // Store the session in the packet in case we get an encapsulation here. We need it for + // handling those properly. + pkt->session = c; + ForwardPacket(len, data, pkt); if ( remaining >= len ) diff --git a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc index 2994d320ba..6e83984ae7 100644 --- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc +++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc @@ -68,6 +68,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt pkt->processed = true; bool is_orig = (tuple.src_addr == conn->OrigAddr()) && (tuple.src_port == conn->OrigPort()); + pkt->is_orig = is_orig; conn->CheckFlowLabel(is_orig, ip_hdr->FlowLabel()); diff --git a/src/packet_analysis/protocol/tcp/TCP.cc b/src/packet_analysis/protocol/tcp/TCP.cc index 6bfd02cff5..d60a18bea7 100644 --- a/src/packet_analysis/protocol/tcp/TCP.cc +++ b/src/packet_analysis/protocol/tcp/TCP.cc @@ -120,6 +120,10 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai adapter->Process(is_orig, tp, len, ip, data, remaining); + // Store the session in the packet in case we get an encapsulation here. We need it for + // handling those properly. + pkt->session = c; + // Send the packet back into the packet analysis framework. ForwardPacket(len, data, pkt); diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc index 1ade1ae208..cd7681dcd9 100644 --- a/src/packet_analysis/protocol/udp/UDP.cc +++ b/src/packet_analysis/protocol/udp/UDP.cc @@ -211,6 +211,10 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai adapter->Event(udp_reply); } + // Store the session in the packet in case we get an encapsulation here. We need it for + // handling those properly. + pkt->session = c; + // Send the packet back into the packet analysis framework. We only check the response // port here because the orig/resp should have already swapped around based on // likely_server_ports. This also prevents us from processing things twice if protocol