return pkt_src_str;
}
+const char *PacketDropReasonToString(enum PacketDropReason r)
+{
+ switch (r) {
+ case PKT_DROP_REASON_DECODE_ERROR:
+ return "decode error";
+ case PKT_DROP_REASON_DEFRAG_ERROR:
+ return "defrag error";
+ case PKT_DROP_REASON_DEFRAG_MEMCAP:
+ return "defrag memcap";
+ case PKT_DROP_REASON_FLOW_MEMCAP:
+ return "flow memcap";
+ case PKT_DROP_REASON_FLOW_DROP:
+ return "flow drop";
+ case PKT_DROP_REASON_STREAM_ERROR:
+ return "stream error";
+ case PKT_DROP_REASON_STREAM_MEMCAP:
+ return "stream memcap";
+ case PKT_DROP_REASON_APPLAYER_ERROR:
+ return "applayer error";
+ case PKT_DROP_REASON_APPLAYER_MEMCAP:
+ return "applayer memcap";
+ case PKT_DROP_REASON_RULES:
+ return "rules";
+ case PKT_DROP_REASON_RULES_THRESHOLD:
+ return "threshold detection_filter";
+ case PKT_DROP_REASON_NOT_SET:
+ default:
+ return NULL;
+ }
+}
+
+/* TODO drop reason stats! */
void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p)
{
if (unlikely(PacketTestAction(p, (ACTION_REJECT | ACTION_REJECT_DST | ACTION_REJECT_BOTH)))) {
#endif /* PROFILING */
+enum PacketDropReason {
+ PKT_DROP_REASON_NOT_SET = 0,
+ PKT_DROP_REASON_DECODE_ERROR,
+ PKT_DROP_REASON_DEFRAG_ERROR,
+ PKT_DROP_REASON_DEFRAG_MEMCAP,
+ PKT_DROP_REASON_FLOW_MEMCAP,
+ PKT_DROP_REASON_FLOW_DROP,
+ PKT_DROP_REASON_STREAM_ERROR,
+ PKT_DROP_REASON_STREAM_MEMCAP,
+ PKT_DROP_REASON_APPLAYER_ERROR,
+ PKT_DROP_REASON_APPLAYER_MEMCAP,
+ PKT_DROP_REASON_RULES,
+ PKT_DROP_REASON_RULES_THRESHOLD, /**< detection_filter in action */
+};
+
/* forward declaration since Packet struct definition requires this */
struct PacketQueue_;
/** data linktype in host order */
int datalink;
+ /* count decoded layers of packet : too many layers
+ * cause issues with performance and stability (stack exhaustion)
+ */
+ uint8_t nb_decoded_layers;
+
+ /* enum PacketDropReason::PKT_DROP_REASON_* as uint8_t for compactness */
+ uint8_t drop_reason;
+
/* tunnel/encapsulation handling */
struct Packet_ *root; /* in case of tunnel this is a ptr
* to the 'real' packet, the one we
*/
struct PktPool_ *pool;
- /* count decoded layers of packet : too many layers
- * cause issues with performance and stability (stack exhaustion)
- */
- uint8_t nb_decoded_layers;
-
#ifdef PROFILING
PktProfiling *profile;
#endif
(p)->ts.tv_sec = 0; \
(p)->ts.tv_usec = 0; \
(p)->datalink = 0; \
+ (p)->drop_reason = 0; \
(p)->action = 0; \
if ((p)->pktvar != NULL) { \
PktVarFree((p)->pktvar); \
#define PACKET_ACCEPT(p) PACKET_SET_ACTION(p, ACTION_ACCEPT)
-#define PACKET_DROP(p) PACKET_SET_ACTION(p, ACTION_DROP)
-
#define PACKET_REJECT(p) PACKET_SET_ACTION(p, (ACTION_REJECT|ACTION_DROP))
#define PACKET_REJECT_DST(p) PACKET_SET_ACTION(p, (ACTION_REJECT_DST|ACTION_DROP))
#define PACKET_TEST_ACTION(p, a) (p)->action &(a)
+static inline void PacketDrop(Packet *p, enum PacketDropReason r)
+{
+ if (p->drop_reason == PKT_DROP_REASON_NOT_SET)
+ p->drop_reason = (uint8_t)r;
+
+ PACKET_SET_ACTION(p, ACTION_DROP);
+}
+
static inline uint8_t PacketTestAction(const Packet *p, const uint8_t a)
{
if (likely(p->root == NULL)) {
void DecodeThreadVarsFree(ThreadVars *, DecodeThreadVars *);
void DecodeUpdatePacketCounters(ThreadVars *tv,
const DecodeThreadVars *dtv, const Packet *p);
+const char *PacketDropReasonToString(enum PacketDropReason r);
/* decoder functions */
int DecodeEthernet(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t);
FlowSetNoPacketInspectionFlag(p->flow);
DecodeSetNoPacketInspectionFlag(p);
StreamTcpDisableAppLayer(p->flow);
- PACKET_DROP(p);
+ PacketDrop(p, PKT_DROP_REASON_FLOW_DROP);
/* return the segments to the pool */
StreamTcpSessionPktFree(p);
SCReturnInt(0);
* anyway. Doesn't disable all detection, so we can still
* match on the stream event that was set. */
DecodeSetNoPayloadInspectionFlag(p);
- PACKET_DROP(p);
+ PacketDrop(p, PKT_DROP_REASON_STREAM_ERROR);
}
SCReturnInt(-1);
}
projects / thirdparty / suricata.git / commitdiff
