Store some additional information in the packet during processing

- Session related to the packet
- is_orig information if a UDP header was found

src/iosource/Packet.h

@@ -18,6 +18,7 @@ using pkt_timeval = struct timeval;
 #include "zeek/IP.h"
 #include "zeek/NetVar.h" // For BifEnum::Tunnel
 #include "zeek/TunnelEncapsulation.h"
+#include "zeek/session/Session.h"
 
 namespace zeek
 	{
@@ -172,29 +173,35 @@ public:
 	/**
 	 * (Outermost) VLAN tag if any, else 0.
 	 */
-	uint32_t vlan;
+	uint32_t vlan = 0;
 
 	/**
 	 * (Innermost) VLAN tag if any, else 0.
 	 */
-	uint32_t inner_vlan;
+	uint32_t inner_vlan = 0;
+
+	/**
+	 * If this packet is related to a connection, this flag denotes whether
+	 * this packet is from the originator of the connection.
+	 */
+	bool is_orig = false;
 
 	/**
 	 * Indicates whether the layer 2 checksum was validated by the
 	 * hardware/kernel before being received by zeek.
 	 */
-	bool l2_checksummed;
+	bool l2_checksummed = false;
 
 	/**
 	 * Indicates whether the layer 3 checksum was validated by the
 	 * hardware/kernel before being received by zeek.
 	 */
-	bool l3_checksummed;
+	bool l3_checksummed = false;
 
 	/**
 	 * Indicates whether this packet should be recorded.
 	 */
-	mutable bool dump_packet;
+	mutable bool dump_packet = false;
 
 	/**
 	 * Indicates the amount of data to be dumped. If only a header is needed,
@@ -255,6 +262,11 @@ public:
 	 */
 	bool processed = false;
 
+	/**
+	 * The session related to this packet, if one exists.
+	 */
+	session::Session* session = nullptr;
+
 private:
 	// Renders an MAC address into its ASCII representation.
 	ValPtr FmtEUI48(const u_char* mac) const;

src/packet_analysis/protocol/icmp/ICMP.cc

@@ -121,6 +121,10 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
 		return;
 		}
 
+	// Store the session in the packet in case we get an encapsulation here. We need it for
+	// handling those properly.
+	pkt->session = c;
+
 	ForwardPacket(len, data, pkt);
 
 	if ( remaining >= len )

src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc

@@ -68,6 +68,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
 	pkt->processed = true;
 
 	bool is_orig = (tuple.src_addr == conn->OrigAddr()) && (tuple.src_port == conn->OrigPort());
+	pkt->is_orig = is_orig;
 
 	conn->CheckFlowLabel(is_orig, ip_hdr->FlowLabel());
 

src/packet_analysis/protocol/tcp/TCP.cc

@@ -120,6 +120,10 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 
 	adapter->Process(is_orig, tp, len, ip, data, remaining);
 
+	// Store the session in the packet in case we get an encapsulation here. We need it for
+	// handling those properly.
+	pkt->session = c;
+
 	// Send the packet back into the packet analysis framework.
 	ForwardPacket(len, data, pkt);
 

src/packet_analysis/protocol/udp/UDP.cc

@@ -211,6 +211,10 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 		adapter->Event(udp_reply);
 		}
 
+	// Store the session in the packet in case we get an encapsulation here. We need it for
+	// handling those properly.
+	pkt->session = c;
+
 	// Send the packet back into the packet analysis framework. We only check the response
 	// port here because the orig/resp should have already swapped around based on
 	// likely_server_ports. This also prevents us from processing things twice if protocol