Actions
Feature #1870
closedmake logged flow_id more unique
Effort:
Difficulty:
Label:
Description
Currently we use the flow_hash, which is better than what we had before, but still not very unique.
Was thinking about something like:
diff --git a/src/output-json.c b/src/output-json.c index 3293509..ced2195 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -119,7 +119,10 @@ void CreateJSONFlowId(json_t *js, const Flow *f) { if (f == NULL) return; - json_object_set_new(js, "flow_id", json_integer(f->flow_hash)); + + int64_t flow_id = (int64_t)f->flow_hash << 31 | (int64_t)(f->startts.tv_sec & 0x0000FFFF) << 16 | f->thread_id; + + json_object_set_new(js, "flow_id", json_integer(flow_id)); } json_t *CreateJSONHeader(const Packet *p, int direction_sensitive,
In a test pcap with about 110k flows, this seems to give a perfect result. Each flow has a unique id.
Updated by Victor Julien over 8 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 3.1.2
Updated by Victor Julien over 8 years ago
Reduced to 51 bits. ELK/evebox couldn't handle the higher values. Looks like a Javascript and perhaps also JSON limitation: https://github.com/inliniac/suricata/pull/2214
Actions