Skip to content

Commit

Permalink
defrag: fix wrong datalink being logged
Browse files Browse the repository at this point in the history 
Eve's packet_info.linktype should correctly indicated what the `packet`
field contains. Until now it was using DLT_RAW even if Ethernet or other
L2+ headers were present.

This commit records the datalink of the packet creating the first
fragment, which can include the L2+ header data.

Bug: #6887.
(cherry picked from commit 49c67b2)
  • Loading branch information
@victorjulien
victorjulien committed Apr 17, 2024
1 parent 9e4dfb2 commit 677abc6
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 1 deletion.
1 change: 0 additions & 1 deletion src/decode.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -408,7 +408,6 @@ Packet *PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, u
p->recursion_level = parent->recursion_level; /* NOT incremented */
p->ts.tv_sec = parent->ts.tv_sec;
p->ts.tv_usec = parent->ts.tv_usec;
p->datalink = DLT_RAW;
p->tenant_id = parent->tenant_id;
/* tell new packet it's part of a tunnel */
SET_TUNNEL_PKT(p);
Expand Down
5 changes: 5 additions & 0 deletions src/defrag.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,7 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p)
}
PKT_SET_SRC(rp, PKT_SRC_DEFRAG);
rp->flags |= PKT_REBUILT_FRAGMENT;
rp->datalink = tracker->datalink;

int fragmentable_offset = 0;
int fragmentable_len = 0;
Expand Down Expand Up @@ -433,6 +434,7 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p)
}
PKT_SET_SRC(rp, PKT_SRC_DEFRAG);
rp->flags |= PKT_REBUILT_FRAGMENT;
rp->datalink = tracker->datalink;

int unfragmentable_len = 0;
int fragmentable_offset = 0;
Expand Down Expand Up @@ -861,6 +863,9 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragTracker *tracker,
#ifdef DEBUG
new->pcap_cnt = pcap_cnt;
#endif
if (frag_offset == 0) {
tracker->datalink = p->datalink;
}

IP_FRAGMENTS_RB_INSERT(&tracker->fragment_tree, new);

Expand Down
1 change: 1 addition & 0 deletions src/defrag.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ typedef struct DefragTracker_ {
Address dst_addr; /**< Destination address for this tracker. */

struct timeval timeout; /**< When this tracker will timeout. */
int datalink; /**< datalink for reassembled packet, set by first fragment */
uint32_t host_timeout; /**< Host timeout, statically assigned from the yaml */

/** use cnt, reference counter */
Expand Down

0 comments on commit 677abc6

Please sign in to comment.