flow: tag first packet in each direction

Set a flowflag for the first packet in each direction:

FLOW_PKT_TOSERVER_FIRST and FLOW_PKT_TOCLIENT_FIRST

diff --git a/src/flow.c b/src/flow.c
index f6287952018498a1b919c2f0686f0ecfa00eca82..3255bbf58adfcc88b9b256bd54b9b2589bac036e 100644 (file)
--- a/src/flow.c
+++ b/src/flow.c
@@ -238,11 +238,11 @@ void FlowHandlePacketUpdateRemove(Flow *f, Packet *p)
     if (p->flowflags & FLOW_PKT_TOSERVER) {
         f->todstpktcnt--;
         f->todstbytecnt -= GET_PKT_LEN(p);
-        p->flowflags &= ~FLOW_PKT_TOSERVER;
+        p->flowflags &= ~(FLOW_PKT_TOSERVER|FLOW_PKT_TOSERVER_FIRST);
     } else {
         f->tosrcpktcnt--;
         f->tosrcbytecnt -= GET_PKT_LEN(p);
-        p->flowflags &= ~FLOW_PKT_TOCLIENT;
+        p->flowflags &= ~(FLOW_PKT_TOCLIENT|FLOW_PKT_TOCLIENT_FIRST);
     }
     p->flowflags &= ~FLOW_PKT_ESTABLISHED;
 
@@ -275,19 +275,25 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p)
 
     /* update flags and counters */
     if (FlowGetPacketDirection(f, p) == TOSERVER) {
-        if (FlowUpdateSeenFlag(p)) {
-            f->flags |= FLOW_TO_DST_SEEN;
-        }
         f->todstpktcnt++;
         f->todstbytecnt += GET_PKT_LEN(p);
         p->flowflags = FLOW_PKT_TOSERVER;
-    } else {
-        if (FlowUpdateSeenFlag(p)) {
-            f->flags |= FLOW_TO_SRC_SEEN;
+        if (!(f->flags & FLOW_TO_DST_SEEN)) {
+            if (FlowUpdateSeenFlag(p)) {
+                f->flags |= FLOW_TO_DST_SEEN;
+                p->flowflags |= FLOW_PKT_TOSERVER_FIRST;
+            }
         }
+    } else {
         f->tosrcpktcnt++;
         f->tosrcbytecnt += GET_PKT_LEN(p);
         p->flowflags = FLOW_PKT_TOCLIENT;
+        if (!(f->flags & FLOW_TO_SRC_SEEN)) {
+            if (FlowUpdateSeenFlag(p)) {
+                f->flags |= FLOW_TO_SRC_SEEN;
+                p->flowflags |= FLOW_PKT_TOCLIENT_FIRST;
+            }
+        }
     }
 
     if ((f->flags & (FLOW_TO_DST_SEEN|FLOW_TO_SRC_SEEN)) == (FLOW_TO_DST_SEEN|FLOW_TO_SRC_SEEN)) {

diff --git a/src/flow.h b/src/flow.h
index 89f0a32b150323dfe215832c2b323bbb4a120cca..8d699fc98d4c16bc7cda0ed56056dc88c445913d 100644 (file)
--- a/src/flow.h
+++ b/src/flow.h
@@ -171,6 +171,8 @@ typedef struct AppLayerParserState_ AppLayerParserState;
 #define FLOW_PKT_ESTABLISHED            0x04
 #define FLOW_PKT_TOSERVER_IPONLY_SET    0x08
 #define FLOW_PKT_TOCLIENT_IPONLY_SET    0x10
+#define FLOW_PKT_TOSERVER_FIRST         0x20
+#define FLOW_PKT_TOCLIENT_FIRST         0x40
 
 #define FLOW_END_FLAG_STATE_NEW         0x01
 #define FLOW_END_FLAG_STATE_ESTABLISHED 0x02

diff --git a/src/stream-tcp.h b/src/stream-tcp.h
index 8dfc992a5fee74a457fb08af50be058d5332a2aa..dcafe0e9bcc76f18870d321b7437e953ea00c44b 100644 (file)
--- a/src/stream-tcp.h
+++ b/src/stream-tcp.h
@@ -171,9 +171,19 @@ static inline void StreamTcpPacketSwitchDir(TcpSession *ssn, Packet *p)
     if (PKT_IS_TOSERVER(p)) {
         p->flowflags &= ~FLOW_PKT_TOSERVER;
         p->flowflags |= FLOW_PKT_TOCLIENT;
+
+        if (p->flowflags & FLOW_PKT_TOSERVER_FIRST) {
+            p->flowflags &= ~FLOW_PKT_TOSERVER_FIRST;
+            p->flowflags |= FLOW_PKT_TOCLIENT_FIRST;
+        }
     } else {
         p->flowflags &= ~FLOW_PKT_TOCLIENT;
         p->flowflags |= FLOW_PKT_TOSERVER;
+
+        if (p->flowflags & FLOW_PKT_TOCLIENT_FIRST) {
+            p->flowflags &= ~FLOW_PKT_TOCLIENT_FIRST;
+            p->flowflags |= FLOW_PKT_TOSERVER_FIRST;
+        }
     }
 }