Actions
Feature #1870
closedmake logged flow_id more unique
Effort:
Difficulty:
Label:
Description
Currently we use the flow_hash, which is better than what we had before, but still not very unique.
Was thinking about something like:
diff --git a/src/output-json.c b/src/output-json.c
index 3293509..ced2195 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -119,7 +119,10 @@ void CreateJSONFlowId(json_t *js, const Flow *f)
{
if (f == NULL)
return;
- json_object_set_new(js, "flow_id", json_integer(f->flow_hash));
+
+ int64_t flow_id = (int64_t)f->flow_hash << 31 | (int64_t)(f->startts.tv_sec & 0x0000FFFF) << 16 | f->thread_id;
+
+ json_object_set_new(js, "flow_id", json_integer(flow_id));
}
json_t *CreateJSONHeader(const Packet *p, int direction_sensitive,
In a test pcap with about 110k flows, this seems to give a perfect result. Each flow has a unique id.
Actions