Actions
Support #1407
closedDetermine the direction of a packet
Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:
Description
New source in Suri v2.0.7:
/**
* \brief determine the direction of the packet compared to the flow
* \retval 0 to_server
* \retval 1 to_client
*/
int FlowGetPacketDirection(Flow *f, const Packet *p)
{
if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
if (!(CMP_PORT(p->sp,p->dp))) {
/* update flags and counters */
if (CMP_PORT(f->sp,p->sp)) {
return TOSERVER;
} else {
return TOCLIENT;
}
} else {
if (CMP_ADDR(&f->src,&p->src)) {
return TOSERVER;
} else {
return TOCLIENT;
}
}
} else if (p->proto == IPPROTO_ICMP || p->proto == IPPROTO_ICMPV6) {
if (CMP_ADDR(&f->src,&p->src)) {
return TOSERVER;
} else {
return TOCLIENT;
}
}
/* default to toserver */
return TOSERVER;
}
I do not understand why must compare source port and destination port of new packet?
Others, to determine the direction of a new packet, in TCP case, first packet has SYN flag. So, the packet has SYN flag that will be correct direction of flow. In my opinion, should check SYN flag of new packets for determining its direction.
Updated by Victor Julien over 8 years ago
- Status changed from New to Closed
The presence of a SYN flag is not a completely reliable indication of direction. A {broken|malicious} server could send it as well. Current code has much improved handling of all this btw.
Actions