From fb4dea0a78fc512b55163a3b2e5d61032da9dc63 Mon Sep 17 00:00:00 2001 From: Sven Eckelmann Date: Mon, 12 May 2014 17:10:48 +0200 Subject: [PATCH] reclassify flow status after FLOW_TIMEOUT A flow which is marked as timeout and restarted again gets the status STS_UNSET. This results in the output path "others/". This can often happen with UDP packets like DHCP because they aren't send very frequenty. The "others"/STS_UNSET classification is wrong in this case because it is known that this flow is UDP. This is especially important when the "others" output type is not enabled. The flow should be reclassified instead to calculate the correct output folder. --- pkt2flow.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/pkt2flow.c b/pkt2flow.c index dbe4655..94cf81b 100644 --- a/pkt2flow.c +++ b/pkt2flow.c @@ -425,6 +425,21 @@ static void process_trace(void) fname = new_file_name(af_6tuple, hdr.ts.tv_sec); pair->pdf.file_name = fname; pair->pdf.start_time = hdr.ts.tv_sec; + + switch (af_6tuple.protocol) { + case IPPROTO_TCP: + if (syn_detected) + pair->pdf.status = STS_TCP_SYN; + else + pair->pdf.status = STS_TCP_NOSYN; + break; + case IPPROTO_UDP: + pair->pdf.status = STS_UDP; + break; + default: + pair->pdf.status = STS_UNSET; + break; + } } }