mirror of
https://github.com/zeek/zeek.git
synced 2025-10-05 08:08:19 +00:00
5312b21d7b
Without this change, flow labeling of connections over IPv6 are only available in the per-packet types of events (e.g. new_packet) in which header fields can be inspected, but now minimal tracking of the most recent flow label is done internally and that's available per-connection for all events that use connection record arguments. Specifically, this adds a "flow_label" field to the "endpoint" record type, which is used for both the "orig" and "resp" fields of "connection" records. The new "connection_flow_label_changed" event also allows tracking of changes in flow labels: it's raised each time one direction of the connection starts using a different label.
32 lines
937 B
Text
32 lines
937 B
Text
# @TEST-EXEC: bro -b -r $TRACES/ipv6-ftp.trace %INPUT >output
|
|
# @TEST-EXEC: btest-diff output
|
|
|
|
function print_connection(c: connection, event_name: string)
|
|
{
|
|
print fmt("%s: %s", event_name, c$id);
|
|
print fmt(" orig_flow %d", c$orig$flow_label);
|
|
print fmt(" resp_flow %d", c$resp$flow_label);
|
|
}
|
|
|
|
event new_connection(c: connection)
|
|
{
|
|
print_connection(c, "new_connection");
|
|
}
|
|
|
|
event connection_established(c: connection)
|
|
{
|
|
print_connection(c, "connection_established");
|
|
}
|
|
|
|
event connection_state_remove(c: connection)
|
|
{
|
|
print_connection(c, "connection_state_remove");
|
|
}
|
|
|
|
event connection_flow_label_changed(c: connection, is_orig: bool,
|
|
old_label: count, new_label: count)
|
|
{
|
|
print_connection(c, fmt("connection_flow_label_changed(%s)", is_orig ? "orig" : "resp"));
|
|
print fmt(" old_label %d", old_label);
|
|
print fmt(" new_label %d", new_label);
|
|
}
|