Flow data structure. More...
#include <flow.h>
Detailed Description
Flow data structure.
The flow is a global data structure that is created for new packets of a flow and then looked up for the following packets of a flow.
Locking
The flow is updated/used by multiple packets at the same time. This is why there is a flow-mutex. It's a mutex and not a spinlock because some operations on the flow can be quite expensive, thus spinning would be too expensive.
The flow "header" (addresses, ports, proto, recursion level) are static after the initialization and remain read-only throughout the entire live of a flow. This is why we can access those without protection of the lock.
Field Documentation
◆ [union]
| union { ... } Flow_ |
◆ [union]
| union { ... } Flow_ |
◆ [union]
| union { ... } Flow_ |
◆ alparser
| AppLayerParserState* Flow_::alparser |
application level storage ptrs. parser internal state
Definition at line 478 of file flow.h.
Referenced by AppLayerFrameDump(), AppLayerFrameNewByAbsoluteOffset(), AppLayerFrameNewByPointer(), AppLayerFrameNewByRelativeOffset(), AppLayerFramesFreeContainer(), AppLayerFramesGetContainer(), AppLayerFramesSetupContainer(), AppLayerHandleTCPData(), AppLayerParserParse(), AppLayerParserTransactionsCleanup(), AppLayerProtoDetectReset(), DetectEngineStateResetTxs(), FlowCleanupAppLayer(), FlowNeedsReassembly(), LLVMFuzzerTestOneInput(), Prefilter(), and StreamTcpDisableAppLayer().
◆ alproto
| AppProto Flow_::alproto |
application level protocol
Definition at line 450 of file flow.h.
Referenced by AppLayerFrameGetLastOpenByType(), AppLayerFrameNewByAbsoluteOffset(), AppLayerFrameNewByPointer(), AppLayerFrameNewByRelativeOffset(), AppLayerFramesSetupContainer(), AppLayerHandleTCPData(), AppLayerHandleUdp(), AppLayerIncAllocErrorCounter(), AppLayerIncGapErrorCounter(), AppLayerIncInternalErrorCounter(), AppLayerIncParserErrorCounter(), AppLayerIncTxCounter(), AppLayerParserGetStreamDepth(), AppLayerParserGetTransactionActive(), AppLayerParserGetTxCnt(), AppLayerParserGetTxFiles(), AppLayerParserParse(), AppLayerParserSetTransactionInspectId(), AppLayerParserStateCleanup(), AppLayerParserTransactionsCleanup(), AppLayerProtoDetectReset(), AppLayerRequestProtocolChange(), DetectEngineInspectBufferGeneric(), DetectEngineInspectBufferSingle(), DetectEngineInspectFiledata(), DetectEngineInspectMultiBufferGeneric(), DetectEngineStateResetTxs(), DetectRunFrameInspectRule(), DetectRunStoreStateTx(), EveAddAppProto(), FileDisableStoringForTransaction(), FileUpdateFlowFileFlags(), FlowNeedsReassembly(), FrameJsonLogOneFrame(), JsonBuildFileInfoRecord(), LLVMFuzzerTestOneInput(), LuaExtensionsMatchSetup(), LuaStateNeedProto(), Prefilter(), RulesDumpMatchArray(), RulesDumpTxMatchArray(), SCAppLayerForceProtocolChange(), and StreamTcpPacket().
◆ alproto_expect
| AppProto Flow_::alproto_expect |
expected app protocol: used in protocol change/upgrade like in STARTTLS.
Definition at line 459 of file flow.h.
Referenced by AppLayerHandleTCPData(), AppLayerRequestProtocolChange(), and EveAddAppProto().
◆ alproto_orig
| AppProto Flow_::alproto_orig |
original application level protocol. Used to indicate the previous protocol when changing to another protocol , e.g. with STARTTLS.
Definition at line 456 of file flow.h.
Referenced by AppLayerHandleTCPData(), AppLayerParserParse(), AppLayerRequestProtocolChange(), EveAddAppProto(), and SCAppLayerForceProtocolChange().
◆ alproto_tc
| AppProto Flow_::alproto_tc |
Definition at line 452 of file flow.h.
Referenced by AppLayerExpectationHandle(), AppLayerHandleTCPData(), AppLayerHandleUdp(), AppLayerProtoDetectGetProto(), AppLayerProtoDetectReset(), AppLayerRequestProtocolChange(), EveAddAppProto(), FlowSwap(), and SCAppLayerForceProtocolChange().
◆ alproto_ts
| AppProto Flow_::alproto_ts |
Definition at line 451 of file flow.h.
Referenced by AppLayerExpectationHandle(), AppLayerHandleTCPData(), AppLayerHandleUdp(), AppLayerProtoDetectGetProto(), AppLayerProtoDetectReset(), AppLayerRequestProtocolChange(), EveAddAppProto(), FlowSwap(), and SCAppLayerForceProtocolChange().
◆ alstate
| void* Flow_::alstate |
application layer state
Definition at line 479 of file flow.h.
Referenced by AppLayerHandleTCPData(), AppLayerParserParse(), AppLayerParserTransactionsCleanup(), DetectFileInspectGeneric(), FileUpdateFlowFileFlags(), FlowCleanupAppLayer(), FlowNeedsReassembly(), and LuaExtensionsMatchSetup().
◆ applied_exception_policy
| uint8_t Flow_::applied_exception_policy |
which exception policies were applied, if any
Definition at line 473 of file flow.h.
Referenced by ExceptionPolicyApply().
◆ code
| uint8_t Flow_::code |
◆ de_ctx_version
| uint32_t Flow_::de_ctx_version |
◆ dp
| Port Flow_::dp |
tcp/udp destination port
Definition at line 372 of file flow.h.
Referenced by AppLayerExpectationHandle(), FlowGetDestinationPort(), FlowGetFromFlowKey(), FlowInit(), and LLVMFuzzerTestOneInput().
◆ dst
| FlowAddress Flow_::dst |
Definition at line 359 of file flow.h.
Referenced by FlowGetFromFlowKey(), FlowInit(), and LLVMFuzzerTestOneInput().
◆ [struct]
| struct { ... } Flow_::esp |
Referenced by FlowInit().
◆ fb
| struct FlowBucket_* Flow_::fb |
Definition at line 491 of file flow.h.
Referenced by FlowGetFlowFromHash(), FlowGetFromFlowKey(), and FlowUpdateState().
◆ ffr
◆ ffr_tc
| uint8_t Flow_::ffr_tc |
Definition at line 388 of file flow.h.
Referenced by FlowNeedsReassembly().
◆ ffr_ts
| uint8_t Flow_::ffr_ts |
Definition at line 387 of file flow.h.
Referenced by FlowNeedsReassembly().
◆ file_flags
| uint16_t Flow_::file_flags |
file tracking/extraction flags
Definition at line 423 of file flow.h.
Referenced by AppLayerParserParse(), FileFlowToFlags(), and FileUpdateFlowFileFlags().
◆ flags
| uint32_t Flow_::flags |
generic flags
Definition at line 421 of file flow.h.
Referenced by AppLayerExpectationCreate(), AppLayerParserParse(), AppLayerParserTransactionsCleanup(), ExceptionPolicyApply(), FlowChangeProto(), FlowClearMemory(), FlowGetFlags(), FlowGetFromFlowKey(), FlowGetPacketDirection(), FlowHandlePacketUpdate(), FlowHasAlerts(), FlowInit(), FlowSendToLocalThread(), FlowSetChangeProtoFlag(), FlowSetHasAlertsFlag(), FlowSwap(), FlowUnsetChangeProtoFlag(), LLVMFuzzerTestOneInput(), StreamTcpPacket(), and StreamTcpReassembleHandleSegment().
◆ flow_end_flags
◆ flow_hash
| uint32_t Flow_::flow_hash |
flow hash - the flow hash before hash table size mod.
Definition at line 401 of file flow.h.
Referenced by FlowGetFlowFromHash(), and FlowGetFromFlowKey().
◆ flow_state
| FlowStateType Flow_::flow_state |
Definition at line 412 of file flow.h.
Referenced by FlowHandlePacketUpdate(), FlowUpdateState(), and PacketBypassCallback().
◆ flowvar
| GenericVar* Flow_::flowvar |
Definition at line 489 of file flow.h.
Referenced by EveAddMetadata(), FlowVarAddFloat(), FlowVarAddIdValue(), FlowVarAddIntNoLock(), FlowVarAddKeyValue(), FlowVarGet(), and FlowVarGetByKey().
◆ [struct]
| struct { ... } Flow_::icmp_d |
◆ [struct]
| struct { ... } Flow_::icmp_s |
Referenced by FlowInit().
◆ lastts
| SCTime_t Flow_::lastts |
Definition at line 410 of file flow.h.
Referenced by AppLayerExpectationCreate(), AppLayerExpectationHandle(), FlowGetFromFlowKey(), FlowGetLastTimeAsParts(), and FlowHandlePacketUpdate().
◆ livedev
| struct LiveDevice_* Flow_::livedev |
◆ m
◆ max_ttl_toclient
| uint8_t Flow_::max_ttl_toclient |
Definition at line 470 of file flow.h.
Referenced by FlowSwap().
◆ max_ttl_toserver
| uint8_t Flow_::max_ttl_toserver |
Definition at line 468 of file flow.h.
Referenced by FlowInit(), and FlowSwap().
◆ min_ttl_toclient
| uint8_t Flow_::min_ttl_toclient |
Definition at line 469 of file flow.h.
Referenced by FlowSwap().
◆ min_ttl_toserver
| uint8_t Flow_::min_ttl_toserver |
◆ next
| struct Flow_* Flow_::next |
Definition at line 396 of file flow.h.
Referenced by FlowGetExistingFlowFromFlowId(), FlowGetFlowFromHash(), FlowGetFromFlowKey(), FlowQueuePrivateAppendFlow(), FlowQueuePrivateAppendPrivate(), FlowQueuePrivateGetFromTop(), FlowQueuePrivatePrependFlow(), FlowReset(), FlowShutdown(), and StatsReleaseCounters().
◆ parent_id
| int64_t Flow_::parent_id |
Definition at line 430 of file flow.h.
Referenced by CreateEveFlowId().
◆ probing_parser_toclient_alproto_masks
| uint32_t Flow_::probing_parser_toclient_alproto_masks |
Definition at line 419 of file flow.h.
Referenced by AppLayerProtoDetectReset(), and FlowSwap().
◆ probing_parser_toserver_alproto_masks
| uint32_t Flow_::probing_parser_toserver_alproto_masks |
Definition at line 418 of file flow.h.
Referenced by AppLayerProtoDetectReset(), and FlowSwap().
◆ proto
| uint8_t Flow_::proto |
Definition at line 378 of file flow.h.
Referenced by AppLayerFrameDump(), AppLayerFrameNewByAbsoluteOffset(), AppLayerFrameNewByPointer(), AppLayerFrameNewByRelativeOffset(), AppLayerFramesSetupContainer(), AppLayerParserParse(), AppLayerParserSetTransactionInspectId(), AppLayerParserTransactionsCleanup(), DetectEngineInspectBufferGeneric(), DetectEngineInspectBufferSingle(), DetectEngineInspectFiledata(), DetectEngineInspectMultiBufferGeneric(), DetectEngineStateResetTxs(), DetectRunFrameInspectRule(), DetectRunStoreStateTx(), EveIKEAddMetadata(), EveNFSAddMetadata(), EveNFSAddMetadataRPC(), EveSMBAddMetadata(), FileDisableStoringForTransaction(), FileUpdateFlowFileFlags(), FlowCleanupAppLayer(), FlowGetDisruptionFlags(), FlowGetFromFlowKey(), FlowHandlePacketUpdate(), FlowInit(), FlowReset(), FlowShutdown(), FlowSwap(), FrameJsonLogOneFrame(), FramesPrune(), HttpXFFGetIPFromTx(), JsonBuildFileInfoRecord(), LLVMFuzzerTestOneInput(), LuaExtensionsMatchSetup(), StreamTcpAppLayerIsDisabled(), UTHAddStreamToFlow(), and UTHRemoveSessionFromFlow().
◆ protoctx
| void* Flow_::protoctx |
protocol specific data pointer, e.g. for TcpSession
Definition at line 441 of file flow.h.
Referenced by AppLayerFrameDump(), AppLayerFrameNewByAbsoluteOffset(), AppLayerFrameNewByPointer(), AppLayerFrameNewByRelativeOffset(), AppLayerFramesSetupContainer(), AppLayerFramesSlide(), AppLayerParserParse(), AppLayerParserTriggerRawStreamInspection(), DetectEngineInspectFrameBufferGeneric(), DetectEngineInspectStream(), DetectEngineInspectStreamPayload(), FlowClearMemory(), FlowGetDisruptionFlags(), FlowGetFlowFromHash(), FlowHandlePacketUpdate(), FlowNeedsReassembly(), FrameJsonLogOneFrame(), FramesPrune(), LLVMFuzzerTestOneInput(), StreamTcpAppLayerIsDisabled(), StreamTcpDetectLogFlush(), StreamTcpDisableAppLayer(), StreamTcpPacket(), StreamTcpPruneSession(), StreamTcpReassembleDepthReached(), StreamTcpSegmentForEach(), StreamTcpSegmentForSession(), StreamTcpSessionPktFree(), UTHAddSessionToFlow(), UTHAddStreamToFlow(), and UTHRemoveSessionFromFlow().
◆ protodetect_dp
| uint16_t Flow_::protodetect_dp |
destination port to be used in protocol detection. This is meant for use with STARTTLS and HTTP CONNECT detection 0 if not used
Definition at line 427 of file flow.h.
Referenced by AppLayerRequestProtocolChange().
◆ protomap
| uint8_t Flow_::protomap |
mapping to Flow's protocol specific protocols for timeouts and state and free functions.
Definition at line 445 of file flow.h.
Referenced by AppLayerHandleTCPData(), AppLayerIncAllocErrorCounter(), AppLayerIncGapErrorCounter(), AppLayerIncInternalErrorCounter(), AppLayerIncParserErrorCounter(), AppLayerIncTxCounter(), AppLayerParserGetStreamDepth(), AppLayerParserGetTransactionActive(), AppLayerParserGetTxCnt(), AppLayerParserGetTxFiles(), AppLayerParserParse(), AppLayerParserStateCleanup(), AppLayerParserTransactionsCleanup(), FlowGetFromFlowKey(), FlowInit(), and LLVMFuzzerTestOneInput().
◆ recursion_level
| uint8_t Flow_::recursion_level |
Definition at line 379 of file flow.h.
Referenced by FlowGetFromFlowKey(), and FlowInit().
◆ sgh_toclient
| const struct SigGroupHead_* Flow_::sgh_toclient |
toclient sgh for this flow. Only use when FLOW_SGH_TOCLIENT flow flag has been set.
Definition at line 483 of file flow.h.
Referenced by AppLayerParserTransactionsCleanup(), and FlowSwap().
◆ sgh_toserver
| const struct SigGroupHead_* Flow_::sgh_toserver |
toserver sgh for this flow. Only use when FLOW_SGH_TOSERVER flow flag has been set.
Definition at line 486 of file flow.h.
Referenced by AppLayerParserTransactionsCleanup(), and FlowSwap().
◆ sp
| Port Flow_::sp |
tcp/udp source port
Definition at line 361 of file flow.h.
Referenced by AppLayerExpectationHandle(), FlowGetFromFlowKey(), FlowGetPacketDirection(), FlowGetSourcePort(), FlowInit(), and LLVMFuzzerTestOneInput().
◆ spi
| uint32_t Flow_::spi |
◆ src
| FlowAddress Flow_::src |
Definition at line 359 of file flow.h.
Referenced by FlowGetFromFlowKey(), FlowGetPacketDirection(), FlowInit(), and LLVMFuzzerTestOneInput().
◆ startts
| SCTime_t Flow_::startts |
Definition at line 493 of file flow.h.
Referenced by EveAddFlow(), FlowGetFromFlowKey(), and FlowInit().
◆ storage
| Storage Flow_::storage[] |
Definition at line 500 of file flow.h.
Referenced by FlowAllocStorageById(), FlowFreeStorage(), FlowFreeStorageById(), FlowGetStorageById(), and FlowSetStorageById().
◆ tenant_id
| uint32_t Flow_::tenant_id |
flow tenant id, used to setup flow timeout and stream pseudo packets with the correct tenant id set
Definition at line 416 of file flow.h.
Referenced by EveAddCommonOptions().
◆ thread_id
| FlowThreadId Flow_::thread_id[2] |
Thread ID for the stream/detect portion of this flow
Definition at line 394 of file flow.h.
Referenced by FlowHandlePacketUpdate(), FlowInit(), FlowSendToLocalThread(), and FlowSwap().
◆ timeout_policy
| uint32_t Flow_::timeout_policy |
timeout in seconds by policy, add to Flow::lastts to get actual time this times out. Ignored in emergency mode.
Definition at line 405 of file flow.h.
Referenced by FlowInit(), and FlowUpdateState().
◆ todstbytecnt
| uint64_t Flow_::todstbytecnt |
Definition at line 497 of file flow.h.
Referenced by EveAddFlow(), FlowHandlePacketUpdate(), and FlowSwap().
◆ todstpktcnt
| uint32_t Flow_::todstpktcnt |
Definition at line 495 of file flow.h.
Referenced by EveAddFlow(), FlowHandlePacketUpdate(), and FlowSwap().
◆ tosrcbytecnt
| uint64_t Flow_::tosrcbytecnt |
Definition at line 498 of file flow.h.
Referenced by EveAddFlow(), FlowHandlePacketUpdate(), and FlowSwap().
◆ tosrcpktcnt
| uint32_t Flow_::tosrcpktcnt |
Definition at line 496 of file flow.h.
Referenced by EveAddFlow(), FlowHandlePacketUpdate(), and FlowSwap().
◆ type
| uint8_t Flow_::type |
◆ vlan_id
| uint16_t Flow_::vlan_id[VLAN_MAX_LAYERS] |
Definition at line 380 of file flow.h.
Referenced by FlowGetFromFlowKey(), and FlowInit().
◆ vlan_idx
| uint8_t Flow_::vlan_idx |
Definition at line 382 of file flow.h.
Referenced by FlowInit().
The documentation for this struct was generated from the following file:
- src/flow.h
