NSM: add TTL fields for netflow log

diff --git a/src/flow-util.c b/src/flow-util.c
index eadce4769b639e3223d77c0baf2498d14b773abe..161d1feed5704d1aacc1f8cfb95eec10214b0e72 100644 (file)
--- a/src/flow-util.c
+++ b/src/flow-util.c
@@ -137,12 +137,12 @@ void FlowInit(Flow *f, const Packet *p)
     if (PKT_IS_IPV4(p)) {
         FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(p, &f->src);
         FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(p, &f->dst);
-        FLOW_SET_IPV4_TTL_FROM_PACKET(p, f);
+        f->min_ttl_toserver = f->max_ttl_toserver = IPV4_GET_IPTTL((p));
         f->flags |= FLOW_IPV4;
     } else if (PKT_IS_IPV6(p)) {
         FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(p, &f->src);
         FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(p, &f->dst);
-        FLOW_SET_IPV6_HLIM_FROM_PACKET(p, f);
+        f->min_ttl_toserver = f->max_ttl_toserver = IPV6_GET_HLIM((p));
         f->flags |= FLOW_IPV6;
     }
 #ifdef DEBUG

diff --git a/src/flow.c b/src/flow.c
index 0d13b2ab52c54a1b11d3e952f055ce4513d70ab9..4764aeb4fb98c898630a310c32e2b237c0afcb89 100644 (file)
--- a/src/flow.c
+++ b/src/flow.c
@@ -269,23 +269,19 @@ static inline int FlowUpdateSeenFlag(const Packet *p)
 static inline void FlowUpdateTTL(Flow *f, Packet *p, uint8_t ttl)
 {
     if (FlowGetPacketDirection(f, p) == TOSERVER) {
-        if (ttl < f->min_ttl_toserver) {
+        if (f->min_ttl_toserver == 0) {
             f->min_ttl_toserver = ttl;
-        } else if (f->min_ttl_toserver == 0) {
-            f->min_ttl_toserver = ttl;
-        }
-        if (ttl > f->max_ttl_toserver) {
-            f->max_ttl_toserver = ttl;
+        } else {
+            f->min_ttl_toserver = MIN(f->min_ttl_toserver, ttl);
         }
+        f->max_ttl_toserver = MAX(f->max_ttl_toserver, ttl);
     } else {
-        if (ttl < f->min_ttl_toclient) {
+        if (f->min_ttl_toclient == 0) {
             f->min_ttl_toclient = ttl;
-        } else if (f->min_ttl_toclient == 0) {
-            f->min_ttl_toclient = ttl;
-        }
-        if (ttl > f->max_ttl_toclient) {
-            f->max_ttl_toclient = ttl;
+        } else {
+            f->min_ttl_toclient = MIN(f->min_ttl_toclient, ttl);
         }
+        f->max_ttl_toclient = MAX(f->max_ttl_toclient, ttl);
     }
 }
 
@@ -371,11 +367,9 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p)
 
     /* update flow's ttl fields if needed */
     if (PKT_IS_IPV4(p)) {
-        uint8_t ttl = IPV4_GET_IPTTL(p);
-        FlowUpdateTTL(f, p, ttl);
+        FlowUpdateTTL(f, p, IPV4_GET_IPTTL(p));
     } else if (PKT_IS_IPV6(p)) {
-        uint8_t ttl = IPV6_GET_HLIM(p);
-        FlowUpdateTTL(f, p, ttl);
+        FlowUpdateTTL(f, p, IPV6_GET_HLIM(p));
     }
 }
 

diff --git a/src/flow.h b/src/flow.h
index aed107260604a05c5a705efd3736b2317d4ce3a1..f969c7a5ea4d1457ecc4c4ecb2f02ce01cb7d772 100644 (file)
--- a/src/flow.h
+++ b/src/flow.h
@@ -183,16 +183,6 @@ typedef struct AppLayerParserState_ AppLayerParserState;
         (a)->addr_data32[3] = (p)->ip6h->s_ip6_dst[3];  \
     } while (0)
 
-#define FLOW_SET_IPV4_TTL_FROM_PACKET(p, f) do {    \
-        (f)->min_ttl_toserver = IPV4_GET_IPTTL((p));         \
-        (f)->max_ttl_toserver = IPV4_GET_IPTTL((p));         \
-    } while (0)
-
-#define FLOW_SET_IPV6_HLIM_FROM_PACKET(p, f) do {   \
-        (f)->min_ttl_toserver = IPV6_GET_HLIM((p));          \
-        (f)->max_ttl_toserver = IPV6_GET_HLIM((p));          \
-    } while (0)
-
 /* pkt flow flags */
 #define FLOW_PKT_TOSERVER               0x01
 #define FLOW_PKT_TOCLIENT               0x02
@@ -340,11 +330,11 @@ typedef struct Flow_
     };
     uint8_t proto;
     uint8_t recursion_level;
+    uint16_t vlan_id[2];
     uint8_t min_ttl_toserver;
     uint8_t max_ttl_toserver;
     uint8_t min_ttl_toclient;
     uint8_t max_ttl_toclient;
-    uint16_t vlan_id[2];
 
     /** flow hash - the flow hash before hash table size mod. */
     uint32_t flow_hash;

diff --git a/src/output-json-netflow.c b/src/output-json-netflow.c
index 40024a197d4f28d7e5bfb20fac3c74ea97cacaa9..b47a3dd8f612722e74182603d0eaca27d43c6a61 100644 (file)
--- a/src/output-json-netflow.c
+++ b/src/output-json-netflow.c
@@ -267,7 +267,7 @@ static void JsonNetFlowLogJSONToClient(JsonNetFlowLogThread *aft, json_t *js, Fl
             json_integer(age));
 
     /* To client is zero if we did not see any packet */
-    if (f->max_ttl_toclient) {
+    if (f->tosrcpktcnt) {
         json_object_set_new(hjs, "min_ttl", json_integer(f->min_ttl_toclient));
         json_object_set_new(hjs, "max_ttl", json_integer(f->max_ttl_toclient));
     }