Project

General

Profile

Actions

Feature #1870

closed

make logged flow_id more unique

Added by Victor Julien over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Currently we use the flow_hash, which is better than what we had before, but still not very unique.

Was thinking about something like:

diff --git a/src/output-json.c b/src/output-json.c
index 3293509..ced2195 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -119,7 +119,10 @@ void CreateJSONFlowId(json_t *js, const Flow *f)
 {
     if (f == NULL)
         return;
-    json_object_set_new(js, "flow_id", json_integer(f->flow_hash));
+
+    int64_t flow_id = (int64_t)f->flow_hash << 31 | (int64_t)(f->startts.tv_sec & 0x0000FFFF) << 16 | f->thread_id;
+
+    json_object_set_new(js, "flow_id", json_integer(flow_id));
 }

 json_t *CreateJSONHeader(const Packet *p, int direction_sensitive,

In a test pcap with about 110k flows, this seems to give a perfect result. Each flow has a unique id.

Actions #1

Updated by Jason Ish over 7 years ago

I like.

Actions #2

Updated by Victor Julien over 7 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.1.2
Actions #3

Updated by Victor Julien over 7 years ago

Reduced to 51 bits. ELK/evebox couldn't handle the higher values. Looks like a Javascript and perhaps also JSON limitation: https://github.com/inliniac/suricata/pull/2214

Actions

Also available in: Atom PDF