From 21d61fc04c5e44cabe62bd7d683545766dbed741 Mon Sep 17 00:00:00 2001 From: Peter Haag Date: Sun, 1 Dec 2024 12:27:46 +0100 Subject: [PATCH] Add filter for "min ttl" and "max ttl" Remove old ttl. Map old filter ttl into "min ttl or max ttl" Add min/max TTL in ipfix and netflowv9 module Replace old TTL in nfpcapd and add min/max TTL. Closes #580 --- man/nfdump.1 | 12 ++++++++++-- src/libnfdump/filter/filter.h | 3 +++ src/libnfdump/filter/grammar.y | 34 +++++++++++++++++++++++++++------- src/libnfdump/filter/scanner.l | 2 ++ src/libnffile/nfxV3.h | 4 +--- src/netflow/ipfix.c | 2 +- src/netflow/netflow_v9.c | 4 +++- src/nfdump/nflowcache.c | 3 ++- src/nfdump/nfstat.c | 3 ++- src/nfpcapd/flowdump.c | 3 ++- src/nfpcapd/flowtree.h | 5 +++-- src/nfpcapd/pcaproc.c | 15 ++++++++++++--- src/output/output_csv.c | 20 ++++---------------- src/output/output_fmt.c | 11 ++++++----- src/output/output_json.c | 3 +-- src/output/output_ndjson.c | 3 +-- src/output/output_raw.c | 7 ++----- src/test/nfgen.c | 3 ++- src/test/nftest.1.out | 3 ++- src/test/nftest.2.out | 3 ++- src/test/nftest.4.out | 3 ++- src/test/nftest.c | 25 +++++++++++++++++++++---- 22 files changed, 111 insertions(+), 60 deletions(-) diff --git a/man/nfdump.1 b/man/nfdump.1 index 1469e424..1f56f2ff 100755 --- a/man/nfdump.1 +++ b/man/nfdump.1 @@ -848,8 +848,12 @@ True if source and destination IP of a record are IPv4 IPs. .It Cm ipv6 True if source and destination IP of a record are IPv6 IPs. .Pp +.It Cm min ttl Ar comp num +.It Cm max ttl Ar comp num +True if min/max IP ttl matches comparison. +.Pp .It Cm ttl Ar comp num -True if IP ttl matches comparison. +True if min or max IP ttl matches comparison. .Pp .It Cm proto Ar protocol True if the record protocol field matches @@ -1714,8 +1718,12 @@ Destination Address(country code):Port Source Port .It Cm %dp Destination Port +.It Cm %minttl +IP min ttl +.It Cm %maxttl +IP max ttl .It Cm %ttl -IP ttl +IP min/max ttl .It Cm %it ICMP-type .It Cm %ic diff --git a/src/libnfdump/filter/filter.h b/src/libnfdump/filter/filter.h index 31e10c42..c736034c 100644 --- a/src/libnfdump/filter/filter.h +++ b/src/libnfdump/filter/filter.h @@ -64,6 +64,8 @@ typedef enum { SRC_ROUTER } direction_t; +typedef enum { PRE_UNKNOWN = 0, PRE_MIN, PRE_MAX } prefix_t; + typedef enum { CMP_EQ = 0, CMP_GT, @@ -86,6 +88,7 @@ typedef enum { typedef struct FilterParam { comparator_t comp; direction_t direction; + prefix_t prefix; int32_t self; } FilterParam_t; diff --git a/src/libnfdump/filter/grammar.y b/src/libnfdump/filter/grammar.y index 847787b3..9ba1a81c 100644 --- a/src/libnfdump/filter/grammar.y +++ b/src/libnfdump/filter/grammar.y @@ -92,7 +92,7 @@ static int AddFlagsString(direction_t direction, char *flags); static int AddTosNumber(direction_t direction, uint16_t comp, uint64_t tos); -static int AddIPttl(uint16_t comp, uint64_t ttl); +static int AddIPttl(prefix_t prefix, uint16_t comp, uint64_t ttl); static int AddPackets(direction_t direction, uint16_t comp, uint64_t packets); @@ -176,7 +176,7 @@ static int AddASList(direction_t direction, void *U64List); %token EQ LT GT LE GE %token ANY NOT IDENT COUNT %token IP IPV4 IPV6 IPTTL NET -%token SRC DST IN OUT PREV NEXT BGP ROUTER INGRESS EGRESS +%token SRC DST IN OUT MIN MAX PREV NEXT BGP ROUTER INGRESS EGRESS %token CLIENT SERVER %token NAT XLATE TUN %token ENGINE ENGINETYPE ENGINEID EXPORTER @@ -189,7 +189,7 @@ static int AddASList(direction_t direction, void *U64List); %token GEOSTRING %token NUMBER %type expr -%type dqual term comp +%type dqual minmax term comp %type iplist u64list %left '+' OR @@ -280,8 +280,8 @@ term: ANY { /* this is an unconditionally true expression, as a filter applies i $$.self = AddTosNumber($1.direction, $3.comp, $4); if ( $$.self < 0 ) YYABORT; } - | IPTTL comp NUMBER { - $$.self = AddIPttl($2.comp, $3); if ( $$.self < 0 ) YYABORT; + | minmax IPTTL comp NUMBER { + $$.self = AddIPttl($1.prefix, $3.comp, $4); if ( $$.self < 0 ) YYABORT; } | FWDSTAT comp NUMBER { @@ -549,6 +549,11 @@ dqual: { $$.direction = DIR_UNSPEC; } | EXPORTER { $$.direction = SRC_ROUTER; } ; +minmax: { $$.prefix = PRE_UNKNOWN; } + | MIN { $$.prefix = PRE_MIN; } + | MAX { $$.prefix = PRE_MAX; } + ; + expr: term { $$ = $1.self; } | expr OR expr { $$ = Connect_OR($1, $3); } | expr AND expr { $$ = Connect_AND($1, $3); } @@ -904,13 +909,28 @@ static int AddTosNumber(direction_t direction, uint16_t comp, uint64_t tos) { return ret; } // End of AddTosNumber -static int AddIPttl(uint16_t comp, uint64_t ttl) { +static int AddIPttl(prefix_t prefix, uint16_t comp, uint64_t ttl) { if ( ttl > 255 ) { yyprintf("TTL number out of range"); return -1; } - return NewElement(EXipInfoID, OFFipTTL, SIZEipTTL, ttl, comp, FUNC_NONE, NULLPtr); + int ret = 0; + switch (prefix) { + case PRE_UNKNOWN: + ret = Connect_OR( + NewElement(EXipInfoID, OFFminTTL, SIZEminTTL, ttl, comp, FUNC_NONE, NULLPtr), + NewElement(EXipInfoID, OFFmaxTTL, SIZEmaxTTL, ttl, comp, FUNC_NONE, NULLPtr)); + break; + case PRE_MIN: + ret = NewElement(EXipInfoID, OFFminTTL, SIZEminTTL, ttl, comp, FUNC_NONE, NULLPtr); + break; + case PRE_MAX: + ret = NewElement(EXipInfoID, OFFmaxTTL, SIZEmaxTTL, ttl, comp, FUNC_NONE, NULLPtr); + break; + } + return ret; + } // End of AddIPttl static int AddPackets(direction_t direction, uint16_t comp, uint64_t packets) { diff --git a/src/libnfdump/filter/scanner.l b/src/libnfdump/filter/scanner.l index 88f938ce..f8d65e19 100755 --- a/src/libnfdump/filter/scanner.l +++ b/src/libnfdump/filter/scanner.l @@ -132,6 +132,8 @@ src { return SRC; } dst { return DST; } in { return IN; } out { return OUT; } +min { return MIN; } +max { return MAX; } next { return NEXT; } prev { return PREV; } bgp { return BGP; } diff --git a/src/libnffile/nfxV3.h b/src/libnffile/nfxV3.h index a7d049b0..cc06214e 100755 --- a/src/libnffile/nfxV3.h +++ b/src/libnffile/nfxV3.h @@ -685,9 +685,7 @@ typedef struct EXnokiaNatString_s { #define EXipInfoID 42 typedef struct EXipInfo_s { - uint8_t ttl; -#define OFFipTTL offsetof(EXipInfo_t, ttl) -#define SIZEipTTL MemberSize(EXipInfo_t, ttl) + uint8_t fill; #define flagMF 0x20 #define flagDF 0x40 uint8_t fragmentFlags; diff --git a/src/netflow/ipfix.c b/src/netflow/ipfix.c index dcd715b5..48878d40 100755 --- a/src/netflow/ipfix.c +++ b/src/netflow/ipfix.c @@ -189,7 +189,7 @@ static const struct ipfixTranslationMap_s { {IPFIX_flowDirection, SIZEdir, NumberCopy, EXflowMiscID, OFFdir, STACK_NONE, "flow direction"}, {IPFIX_biflowDirection, SIZEbiFlowDir, NumberCopy, EXflowMiscID, OFFbiFlowDir, STACK_NONE, "biFlow direction"}, {IPFIX_flowEndReason, SIZEflowEndReason, NumberCopy, EXflowMiscID, OFFflowEndReason, STACK_NONE, "Flow end reason"}, - {IPFIX_ipTTL, SIZEipTTL, NumberCopy, EXipInfoID, OFFipTTL, STACK_NONE, "IP ttl"}, + {IPFIX_ipTTL, SIZEminTTL, NumberCopy, EXipInfoID, OFFminTTL, STACK_NONE, "flow min TTL"}, {IPFIX_fragmentFlags, SIZEfragmentFlags, NumberCopy, EXipInfoID, OFFfragmentFlags, STACK_NONE, "IP fragment flags"}, {IPFIX_ipNextHopIPv6Address, SIZENextHopV6IP, NumberCopy, EXipNextHopV6ID, OFFNextHopV6IP, STACK_NONE, "IPv6 next hop IP"}, {IPFIX_bgpNextHopIPv6Address, SIZEbgp6NextIP, NumberCopy, EXbgpNextHopV6ID, OFFbgp6NextIP, STACK_NONE, "IPv6 bgp next hop IP"}, diff --git a/src/netflow/netflow_v9.c b/src/netflow/netflow_v9.c index dec70e5a..555253e6 100755 --- a/src/netflow/netflow_v9.c +++ b/src/netflow/netflow_v9.c @@ -167,11 +167,13 @@ static const struct v9TranslationMap_s { {NF9_IPV6_SRC_MASK, SIZEsrcMask, NumberCopy, EXflowMiscID, OFFsrcMask, STACK_NONE, "src mask bits"}, {NF9_IPV6_DST_MASK, SIZEdstMask, NumberCopy, EXflowMiscID, OFFdstMask, STACK_NONE, "dst mask bits"}, {NF9_ICMP, Stack_ONLY, NumberCopy, EXgenericFlowID, OFFdstPort, STACK_ICMP, "icmp type/code"}, + {NF9_MIN_TTL, SIZEminTTL, NumberCopy, EXipInfoID, OFFminTTL, STACK_NONE, "flow min TTL"}, + {NF9_MAX_TTL, SIZEmaxTTL, NumberCopy, EXipInfoID, OFFmaxTTL, STACK_NONE, "flow max TTL"}, {NF9_DST_TOS, SIZEdstTos, NumberCopy, EXflowMiscID, OFFdstTos, STACK_NONE, "post IP class of Service"}, {NF9_MIN_TTL, SIZEminTTL, NumberCopy, EXipInfoID, OFFminTTL, STACK_NONE, "flow min TTL"}, {NF9_MAX_TTL, SIZEmaxTTL, NumberCopy, EXipInfoID, OFFmaxTTL, STACK_NONE, "flow max TTL"}, {NF_F_flowEndReason, SIZEflowEndReason, NumberCopy, EXflowMiscID, OFFflowEndReason, STACK_NONE, "Flow end reason"}, - {NF_F_ipTTL, SIZEipTTL, NumberCopy, EXipInfoID, OFFipTTL, STACK_NONE, "IP ttl"}, + {NF_F_ipTTL, SIZEminTTL, NumberCopy, EXipInfoID, OFFminTTL, STACK_NONE, "flow min TTL"}, {NF_F_fragmentFlags, SIZEfragmentFlags, NumberCopy, EXipInfoID, OFFfragmentFlags, STACK_NONE, "IP fragment flags"}, {NF9_IN_SRC_MAC, SIZEinSrcMac, NumberCopy, EXmacAddrID, OFFinSrcMac, STACK_NONE, "in src MAC addr"}, {NF9_OUT_DST_MAC, SIZEoutDstMac, NumberCopy, EXmacAddrID, OFFoutDstMac, STACK_NONE, "out dst MAC addr"}, diff --git a/src/nfdump/nflowcache.c b/src/nfdump/nflowcache.c index dbb41216..0bdeb1b1 100755 --- a/src/nfdump/nflowcache.c +++ b/src/nfdump/nflowcache.c @@ -149,7 +149,8 @@ static struct aggregationElement_s { {"srcgeo", {EXlocal, OFFgeoSrcIP, SizeGEOloc, 0}, 0, SRC_GEO, 0, 0, "%sc"}, {"dstgeo", {EXlocal, OFFgeoDstIP, SizeGEOloc, 0}, 0, DST_GEO, 0, 0, "%dc"}, {"ethertype", {EXlayer2ID, OFFetherType, SIZEetherType, 0}, 0, NOPREPROCESS, 0, 0, "%eth"}, - {"ttl", {EXipInfoID, OFFipTTL, SIZEipTTL, 0}, 0, NOPREPROCESS, 0, 0, "%ttl"}, + {"minttl", {EXipInfoID, OFFminTTL, SIZEminTTL, 0}, 0, NOPREPROCESS, 0, 0, "%minttl"}, + {"maxttl", {EXipInfoID, OFFmaxTTL, SIZEmaxTTL, 0}, 0, NOPREPROCESS, 0, 0, "%maxttl"}, {NULL, {0, 0, 0}, 0, NOPREPROCESS, 0, 0, NULL}}; // FlowHash stat record, to aggregate flow counters in -A or -s stat/aggregate mode diff --git a/src/nfdump/nfstat.c b/src/nfdump/nfstat.c index db971491..c63175f0 100644 --- a/src/nfdump/nfstat.c +++ b/src/nfdump/nfstat.c @@ -224,7 +224,8 @@ static struct StatParameter_s { // {"exace", "Egress ACL", {EXnselAclID, OFFegressAcl, SIZEegressAcl, 0}, IS_HEX, NULL}, {"ivrf", "I-vrf ID", {EXvrfID, OFFingressVrf, SIZEingressVrf, 0}, IS_NUMBER, NULL}, {"evrf", "E-vrf ID", {EXvrfID, OFFegressVrf, SIZEegressVrf, 0}, IS_NUMBER, NULL}, - {"ttl", "TTL", {EXipInfoID, OFFipTTL, SIZEipTTL, 0}, IS_NUMBER, NULL}, + {"minttl", "minTTL", {EXipInfoID, OFFminTTL, SIZEminTTL, 0}, IS_NUMBER, NULL}, + {"maxttl", "maxTTL", {EXipInfoID, OFFmaxTTL, SIZEmaxTTL, 0}, IS_NUMBER, NULL}, // header info != NULL {NULL, "DONE", {0, 0, 0, 0}, 0, NULL}}; diff --git a/src/nfpcapd/flowdump.c b/src/nfpcapd/flowdump.c index 2126d62f..82611d7e 100644 --- a/src/nfpcapd/flowdump.c +++ b/src/nfpcapd/flowdump.c @@ -136,7 +136,8 @@ static int StorePcapFlow(flowParam_t *flowParam, struct FlowNode *Node) { if (flowParam->extendedFlow) { UpdateRecordSize(EXipInfoSize); PushExtension(recordHeader, EXipInfo, ipInfo); - ipInfo->ttl = Node->ttl; + ipInfo->minTTL = Node->minTTL; + ipInfo->maxTTL = Node->maxTTL; ipInfo->fragmentFlags = Node->fragmentFlags; if (Node->vlanID) { diff --git a/src/nfpcapd/flowtree.h b/src/nfpcapd/flowtree.h index df8fbd8b..1a1382d4 100755 --- a/src/nfpcapd/flowtree.h +++ b/src/nfpcapd/flowtree.h @@ -117,9 +117,10 @@ struct FlowNode { void *pflog; void *payload; // payload uint32_t payloadSize; // Size of payload - uint8_t ttl; + uint8_t minTTL; + uint8_t maxTTL; uint8_t fragmentFlags; - uint16_t align; + uint8_t align; uint32_t mpls[10]; uint64_t srcMac; uint64_t dstMac; diff --git a/src/nfpcapd/pcaproc.c b/src/nfpcapd/pcaproc.c index 057b939b..93d8df07 100644 --- a/src/nfpcapd/pcaproc.c +++ b/src/nfpcapd/pcaproc.c @@ -425,8 +425,10 @@ static inline void ProcessTCPFlow(packetParam_t *packetParam, struct FlowNode *N Node->packets++; Node->bytes += NewNode->bytes; Node->t_last = NewNode->t_last; + if (NewNode->minTTL < Node->minTTL) Node->minTTL = NewNode->minTTL; + if (NewNode->maxTTL > Node->maxTTL) Node->maxTTL = NewNode->maxTTL; - // DEVEL RTT - disabled for now + // DEVEL RTT - disabled for now #if 0 if (NewNode->signal != SIGNAL_FIN && Node->latency.ack && ((NewNode->latency.ack - Node->latency.ack) > 0)) { uint32_t rtt = NewNode->latency.tsVal - Node->latency.tsVal; @@ -487,6 +489,8 @@ static inline void ProcessUDPFlow(packetParam_t *packetParam, struct FlowNode *N Node->packets++; Node->bytes += NewNode->bytes; Node->t_last = NewNode->t_last; + if (NewNode->minTTL < Node->minTTL) Node->minTTL = NewNode->minTTL; + if (NewNode->maxTTL > Node->maxTTL) Node->maxTTL = NewNode->maxTTL; dbg_printf("Existing UDP flow: Packets: %u, Bytes: %u\n", Node->packets, Node->bytes); if (Node->payloadSize == 0 && payloadSize > 0 && packetParam->addPayload) { @@ -529,6 +533,8 @@ static inline void ProcessOtherFlow(packetParam_t *packetParam, struct FlowNode Node->packets++; Node->bytes += NewNode->bytes; Node->t_last = NewNode->t_last; + if (NewNode->minTTL < Node->minTTL) Node->minTTL = NewNode->minTTL; + if (NewNode->maxTTL > Node->maxTTL) Node->maxTTL = NewNode->maxTTL; dbg_printf("Existing flow IP proto: %u Packets: %u, Bytes: %u\n", NewNode->flowKey.proto, Node->packets, Node->bytes); if (Node->payloadSize == 0 && payloadSize > 0 && packetParam->addPayload) { @@ -861,7 +867,9 @@ int ProcessPacket(packetParam_t *packetParam, const struct pcap_pkthdr *hdr, con Node->t_first.tv_usec = hdr->ts.tv_usec; Node->t_last.tv_usec = hdr->ts.tv_usec; Node->bytes = ntohs(ip6->ip6_plen) + size_ip; - Node->ttl = ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim; + uint8_t ttl = ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim; + Node->minTTL = ttl; + Node->maxTTL = ttl; Node->fragmentFlags = 0; // keep compiler happy - gets optimized out anyway @@ -939,7 +947,8 @@ int ProcessPacket(packetParam_t *packetParam, const struct pcap_pkthdr *hdr, con Node->flowKey.src_addr.v4 = ntohl(ip->ip_src.s_addr); Node->flowKey.dst_addr.v4 = ntohl(ip->ip_dst.s_addr); } - Node->ttl = ip->ip_ttl; + Node->minTTL = ip->ip_ttl; + Node->maxTTL = ip->ip_ttl; } else { dbg_printf("ProcessPacket() Unsupported protocol version: %i\n", version); packetParam->proc_stat.unknown++; diff --git a/src/output/output_csv.c b/src/output/output_csv.c index 6c73f6e4..9825be57 100644 --- a/src/output/output_csv.c +++ b/src/output/output_csv.c @@ -216,8 +216,6 @@ static char *String_BiFlowDir(char *streamPtr, recordHandle_t *recordHandle); static char *String_FlowEndReason(char *streamPtr, recordHandle_t *recordHandle); -static char *String_ipTTL(char *streamPtr, recordHandle_t *recordHandle); - static char *String_ipminTTL(char *streamPtr, recordHandle_t *recordHandle); static char *String_ipmaxTTL(char *streamPtr, recordHandle_t *recordHandle); @@ -566,7 +564,6 @@ static struct format_entry_s { {"%lbl", 0, "label", String_Label}, // Flow Label // EXipInfo - {"%ttl", 0, "TTL", String_ipTTL}, // Flow ip ttl {"%minttl", 0, "minTTL", String_ipminTTL}, // Flow ip min ttl {"%maxttl", 0, "maxTTL", String_ipmaxTTL}, // Flow ip max ttl {"%frag", 0, "Frag", String_ipFrag}, // IP fragment flags @@ -1737,29 +1734,20 @@ static char *String_FlowEndReason(char *streamPtr, recordHandle_t *recordHandle) return streamPtr; } // End of String_FlowEndReason -static char *String_ipTTL(char *streamPtr, recordHandle_t *recordHandle) { - EXipInfo_t *ipInfo = (EXipInfo_t *)recordHandle->extensionList[EXipInfoID]; - uint8_t ttl = ipInfo ? ipInfo->ttl : 0; - - AddU32(ttl); - - return streamPtr; -} // End of String_ipTTL - static char *String_ipminTTL(char *streamPtr, recordHandle_t *recordHandle) { EXipInfo_t *ipInfo = (EXipInfo_t *)recordHandle->extensionList[EXipInfoID]; - uint8_t ttl = ipInfo ? ipInfo->minTTL : 0; + uint8_t minTTL = ipInfo ? ipInfo->minTTL : 0; - AddU32(ttl); + AddU32(minTTL); return streamPtr; } // End of String_ipminTTL static char *String_ipmaxTTL(char *streamPtr, recordHandle_t *recordHandle) { EXipInfo_t *ipInfo = (EXipInfo_t *)recordHandle->extensionList[EXipInfoID]; - uint8_t ttl = ipInfo ? ipInfo->maxTTL : 0; + uint8_t maxTTL = ipInfo ? ipInfo->maxTTL : 0; - AddU32(ttl); + AddU32(maxTTL); return streamPtr; } // End of String_ipminTTL diff --git a/src/output/output_fmt.c b/src/output/output_fmt.c index 514f176d..863de36d 100644 --- a/src/output/output_fmt.c +++ b/src/output/output_fmt.c @@ -588,9 +588,9 @@ static struct format_entry_s { {"%lbl", 0, " label", String_Label}, // Flow Label // EXipInfo - {"%ttl", 0, "TTL", String_ipTTL}, // Flow ip ttl - {"%minttl", 0, "minTTL", String_ipminTTL}, // Flow ip min ttl - {"%maxttl", 0, "maxTTL", String_ipmaxTTL}, // Flow ip max ttl + {"%ttl", 0, "min/maxTTL", String_ipTTL}, // Flow min/max TTL + {"%minttl", 0, "minTTL", String_ipminTTL}, // Flow ip min TTL + {"%maxttl", 0, "maxTTL", String_ipmaxTTL}, // Flow ip max TTL {"%frag", 0, "Frag", String_ipFrag}, // IP fragment flags {"%n", 0, "", String_NewLine}, // \n @@ -1969,9 +1969,10 @@ static void String_FlowEndReason(FILE *stream, recordHandle_t *recordHandle) { static void String_ipTTL(FILE *stream, recordHandle_t *recordHandle) { EXipInfo_t *ipInfo = (EXipInfo_t *)recordHandle->extensionList[EXipInfoID]; - uint8_t ttl = ipInfo ? ipInfo->ttl : 0; + EXipInfo_t nullIPinfo = {0}; + if (ipInfo == NULL) ipInfo = &nullIPinfo; - fprintf(stream, "%3u", ttl); + fprintf(stream, "%5u %5u", ipInfo->minTTL, ipInfo->maxTTL); } // End of String_ipTTL static void String_ipminTTL(FILE *stream, recordHandle_t *recordHandle) { diff --git a/src/output/output_json.c b/src/output/output_json.c index d904ff09..4572f3af 100644 --- a/src/output/output_json.c +++ b/src/output/output_json.c @@ -285,7 +285,7 @@ static char *stringEXflowMisc(char *streamPtr, recordHandle_t *recordHandle, voi static char *stringEXipInfo(char *streamPtr, void *extensionRecord) { EXipInfo_t *ipInfo = (EXipInfo_t *)extensionRecord; - if (ipInfo->ttl || ipInfo->fragmentFlags) { + if (ipInfo->fragmentFlags) { char flags[4] = "--\0"; if (ipInfo->fragmentFlags & flagDF) { flags[0] = 'D'; @@ -297,7 +297,6 @@ static char *stringEXipInfo(char *streamPtr, void *extensionRecord) { } AddElementString("ip_fragment", flags); - AddElementU32("ip_ttl", (uint32_t)ipInfo->ttl); } if (ipInfo->minTTL || ipInfo->maxTTL) { AddElementU32("ip_minttl", (uint32_t)ipInfo->minTTL); diff --git a/src/output/output_ndjson.c b/src/output/output_ndjson.c index 2355a0a9..a8239be6 100644 --- a/src/output/output_ndjson.c +++ b/src/output/output_ndjson.c @@ -273,7 +273,7 @@ static char *stringEXflowMisc(char *streamPtr, recordHandle_t *recordHandle, voi static char *stringEXipInfo(char *streamPtr, void *extensionRecord) { EXipInfo_t *ipInfo = (EXipInfo_t *)extensionRecord; - if (ipInfo->ttl || ipInfo->fragmentFlags) { + if (ipInfo->fragmentFlags) { char flags[4] = "--\0"; if (ipInfo->fragmentFlags & flagDF) { flags[0] = 'D'; @@ -285,7 +285,6 @@ static char *stringEXipInfo(char *streamPtr, void *extensionRecord) { } AddElementString("ip_fragment", flags); - AddElementU32("ip_ttl", (uint32_t)ipInfo->ttl); } if (ipInfo->minTTL || ipInfo->maxTTL) { AddElementU32("ip_minttl", (uint32_t)ipInfo->minTTL); diff --git a/src/output/output_raw.c b/src/output/output_raw.c index 621ad23e..516aeaae 100644 --- a/src/output/output_raw.c +++ b/src/output/output_raw.c @@ -306,13 +306,10 @@ static void stringsEXflowMisc(FILE *stream, recordHandle_t *recordHandle, void * static void stringEXipInfo(FILE *stream, void *extensionRecord) { EXipInfo_t *ipInfo = (EXipInfo_t *)extensionRecord; - if (ipInfo->ttl || ipInfo->fragmentFlags) { + if (ipInfo->fragmentFlags) { char *DF = ipInfo->fragmentFlags & flagDF ? "DF" : " "; char *MF = ipInfo->fragmentFlags & flagMF ? "MF" : " "; - fprintf(stream, - " ip fragment = 0x%.2x %s %s\n" - " ip TTL = %5u\n", - ipInfo->fragmentFlags, DF, MF, ipInfo->ttl); + fprintf(stream, " ip fragment = 0x%.2x %s %s\n", ipInfo->fragmentFlags, DF, MF); } if (ipInfo->minTTL || ipInfo->maxTTL) { fprintf(stream, diff --git a/src/test/nfgen.c b/src/test/nfgen.c index f553b82a..b74d4aa3 100644 --- a/src/test/nfgen.c +++ b/src/test/nfgen.c @@ -553,7 +553,8 @@ int main(int argc, char **argv) { PushExtension(v3Record, EXipInfo, ipInfo); AssertMapRecordHandle(recordHandle, v3Record, 0); - ipInfo->ttl = 100; + ipInfo->minTTL = 40; + ipInfo->maxTTL = 255; ipInfo->fragmentFlags = flagDF; UpdateRecord(recordHandle); diff --git a/src/test/nftest.1.out b/src/test/nftest.1.out index 5ee6adac..9dfb3b16 100755 --- a/src/test/nftest.1.out +++ b/src/test/nftest.1.out @@ -1243,4 +1243,5 @@ Flow Record: egress IfID = 445566 ethertype = 0x0000 ip fragment = 0x40 DF - ip TTL = 100 + ip minTTL = 40 + ip minTTL = 255 diff --git a/src/test/nftest.2.out b/src/test/nftest.2.out index 3201ada4..6b2b68b3 100644 --- a/src/test/nftest.2.out +++ b/src/test/nftest.2.out @@ -1225,4 +1225,5 @@ Flow Record: egress IfID = 445566 ethertype = 0x0000 ip fragment = 0x40 DF - ip TTL = 100 + ip minTTL = 40 + ip minTTL = 255 diff --git a/src/test/nftest.4.out b/src/test/nftest.4.out index 3201ada4..6b2b68b3 100644 --- a/src/test/nftest.4.out +++ b/src/test/nftest.4.out @@ -1225,4 +1225,5 @@ Flow Record: egress IfID = 445566 ethertype = 0x0000 ip fragment = 0x40 DF - ip TTL = 100 + ip minTTL = 40 + ip minTTL = 255 diff --git a/src/test/nftest.c b/src/test/nftest.c index 3e7e71fa..a239a0b9 100644 --- a/src/test/nftest.c +++ b/src/test/nftest.c @@ -1009,11 +1009,28 @@ static void runTest(void) { // EXipInfo PushExtension(recordHeaderV3, EXipInfo, ipInfo); MapRecordHandle(recordHandle, recordHeaderV3, 1); - ipInfo->ttl = 100; + ipInfo->minTTL = 36; + ipInfo->maxTTL = 48; ipInfo->fragmentFlags = flagDF; - CheckFilter("ttl 100", recordHandle, 1); - CheckFilter("ttl > 99", recordHandle, 1); - CheckFilter("ttl 200", recordHandle, 0); + CheckFilter("min ttl 36", recordHandle, 1); + CheckFilter("min ttl > 30", recordHandle, 1); + CheckFilter("min ttl < 37", recordHandle, 1); + CheckFilter("min ttl 64", recordHandle, 0); + CheckFilter("min ttl < 30", recordHandle, 0); + // + CheckFilter("max ttl 48", recordHandle, 1); + CheckFilter("max ttl > 40", recordHandle, 1); + CheckFilter("max ttl < 50", recordHandle, 1); + CheckFilter("max ttl 64", recordHandle, 0); + CheckFilter("max ttl < 30", recordHandle, 0); + CheckFilter("max ttl 48", recordHandle, 1); + // + CheckFilter("ttl 36", recordHandle, 1); + CheckFilter("ttl 48", recordHandle, 1); + CheckFilter("ttl > 40", recordHandle, 1); + CheckFilter("ttl < 50", recordHandle, 1); + CheckFilter("ttl 64", recordHandle, 0); + CheckFilter("ttl < 30", recordHandle, 0); printf("DONE.\n"); } // End of runTest