From: Juweria Ali Imran (jaliimra) <jaliimra@cisco.com>
Date: Fri, 9 May 2025 20:46:43 +0000 (+0000)
Subject: Pull request #4729: stream_tcp: print stream_tcp state upon hitting queue_limits
X-Git-Tag: 3.8.1.0~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a3d804fc3f5fa4b5d567ac54a2a0b57ce2e943bb;p=thirdparty%2Fsnort3.git

Pull request #4729: stream_tcp: print stream_tcp state upon hitting queue_limits

Merge in SNORT/snort3 from ~JALIIMRA/snort3:print_stream_state to master

Squashed commit of the following:

commit 552960385a7655eb84fb7c44704aa07c160a5800
Author: Juweria Ali Imran <jaliimra@cisco.com>
Date:   Tue Apr 22 12:41:13 2025 -0400

    stream_tcp: print stream_tcp state upon hitting queue_limits
---

diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc
index 31918f7e6..8a0236ea9 100644
--- a/src/stream/tcp/tcp_reassembler.cc
+++ b/src/stream/tcp/tcp_reassembler.cc
@@ -567,7 +567,6 @@ void TcpReassemblerBase::flush_queued_segments(Flow* flow, bool clear, Packet* p
     }
 }
 
-
 void TcpReassemblerBase::check_first_segment_hole()
 {
     if ( SEQ_LT(seglist.seglist_base_seq, seglist.head->start_seq()) )
@@ -673,4 +672,3 @@ TcpReassemblerIgnore* TcpReassemblerIgnore::get_instance(bool server_tracker)
         return ignore_reassembler_client;
 }
 
-
diff --git a/src/stream/tcp/tcp_reassembly_segments.cc b/src/stream/tcp/tcp_reassembly_segments.cc
index 49b21c432..04e03cff1 100644
--- a/src/stream/tcp/tcp_reassembly_segments.cc
+++ b/src/stream/tcp/tcp_reassembly_segments.cc
@@ -23,6 +23,8 @@
 #include "config.h"
 #endif
 
+#include <sstream>
+
 #include "tcp_reassembly_segments.h"
 
 #include "log/messages.h"
@@ -120,6 +122,27 @@ bool TcpReassemblySegments::segment_within_seglist_window(TcpSegmentDescriptor&
     return true;
 }
 
+void TcpReassemblySegments::print_stream_state(TcpStreamTracker* talker)
+{
+    if ( !PacketTracer::is_active() )
+        return;
+
+    std::stringstream ss;
+
+    ss << "Stream State:";
+    ss << " seglist_base_seq: " << seglist_base_seq;
+    ss << ", rcv_next: " << tracker->get_rcv_nxt();
+    ss << ", r_win_base: " << talker->r_win_base;
+    if(head)
+        ss << ", head: " << head->start_seq();
+    if(cur_sseg)
+        ss << ", cur_sseg: " << cur_sseg->start_seq();
+    if(cur_rseg)
+        ss << ", cur_rseg: " << cur_rseg->start_seq();
+    ss << "\n";
+    PacketTracer::log("%s", ss.str().c_str());
+}
+
 void TcpReassemblySegments::queue_reassembly_segment(TcpSegmentDescriptor& tsd)
 {
     if ( seg_count == 0 )
diff --git a/src/stream/tcp/tcp_reassembly_segments.h b/src/stream/tcp/tcp_reassembly_segments.h
index e90bad335..a91fba09b 100644
--- a/src/stream/tcp/tcp_reassembly_segments.h
+++ b/src/stream/tcp/tcp_reassembly_segments.h
@@ -56,6 +56,7 @@ public:
     void skip_midstream_pickup_seglist_hole(TcpSegmentDescriptor&);
     bool skip_hole_at_beginning(TcpSegmentNode*);
     void purge_segment_list();
+    void print_stream_state(TcpStreamTracker* talker);
 
     bool is_segment_pending_flush() const;
 
diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc
index b1d0a380b..ee4c13f98 100644
--- a/src/stream/tcp/tcp_session.cc
+++ b/src/stream/tcp/tcp_session.cc
@@ -633,6 +633,7 @@ bool TcpSession::check_reassembly_queue_thresholds(TcpSegmentDescriptor& tsd, Tc
             {
                 // FIXIT-M - only alert once per threshold exceeded event
                 tel.set_tcp_event(EVENT_MAX_QUEUED_BYTES_EXCEEDED);
+                listener->seglist.print_stream_state(tsd.get_talker());
                 listener->normalizer.log_drop_reason(tsd, inline_mode, "stream",
                     "stream_tcp: Flow exceeded the configured max byte threshold (" + std::to_string(tcp_config->max_queued_bytes) +
                     "). You may want to adjust the 'max_bytes' parameter in the NAP policy"
@@ -663,6 +664,7 @@ bool TcpSession::check_reassembly_queue_thresholds(TcpSegmentDescriptor& tsd, Tc
             {
                 // FIXIT-M - only alert once per threshold exceeded event
                 tel.set_tcp_event(EVENT_MAX_QUEUED_SEGS_EXCEEDED);
+                listener->seglist.print_stream_state(tsd.get_talker());
                 listener->normalizer.log_drop_reason(tsd, inline_mode, "stream",
                     "stream_tcp: Flow exceeded the configured max segment threshold (" + std::to_string(tcp_config->max_queued_segs) +
                     "). You may want to adjust the 'max_segments' parameter in the NAP policy"
@@ -940,6 +942,9 @@ bool TcpSession::cleanup_session_if_expired(Packet* p)
     // the packet...Insert a packet, or handle state change SYN, FIN, RST, etc.
     if ( Stream::expired_flow(flow, p) )
     {
+        if ( PacketTracer::is_active() and p and p->ptrs.tcph )
+            PacketTracer::log("Stream TCP session expired with session flags 0x%x, flow state %hhu, and seq %u\n",
+                flow->get_session_flags(), static_cast<uint8_t>(flow->flow_state), p->ptrs.tcph->seq());
         /* Session is timed out, if also reset then restart, otherwise clear */
         if ( flow->get_session_flags() & SSNFLAG_RESET )
             clear_session(true, true, true, p);