Skip to main content

Connection

retina_core::subscription::connection

Struct Connection 

Source 
pub struct Connection {
    pub five_tuple: FiveTuple,
    pub ts: Instant,
    pub duration: Duration,
    pub max_inactivity: Duration,
    pub time_to_second_packet: Duration,
    pub history: Vec<u8>,
    pub orig: Flow,
    pub resp: Flow,
}
Expand description

A connection record.

This subscribable type returns general information regarding TCP and UDP connections but does does not track payload data. If applicable, Retina internally manages stream reassembly. All connections are interpreted using flow semantics.

Fields§

§five_tuple: FiveTuple

The connection 5-tuple.

§ts: Instant

Timestamp of the first packet.

§Remarks

This represents the time Retina observed the first packet in the connection, and does not reflect timestamps read from a packet capture in offline analysis.

§duration: Duration

The duration of the connection.

§Remarks

This does not represent the actual duration of the connection in offline analysis. It approximates the elapsed time between observation of the first and last observed packet in the connection.

§max_inactivity: Duration

Maximum duration of inactivity (the maximum time between observed segments).

§time_to_second_packet: Duration

The duration between the first and second packets.

§history: Vec<u8>

Connection history.

This represents a summary of the connection history in the order the packets were observed, with letters encoded as a vector of bytes. This is a simplified version of state history in Zeek, and the meanings of each letter are similar: If the event comes from the originator, the letter is uppercase; if the event comes from the responder, the letter is lowercase.

  • S: a pure SYN with only the SYN bit set (may have payload)
  • H: a pure SYNACK with only the SYN and ACK bits set (may have payload)
  • A: a pure ACK with only the ACK bit set and no payload
  • D: segment contains non-zero payload length
  • F: the segment has the FIN bit set (may have other flags and/or payload)
  • R: segment has the RST bit set (may have other flags and/or payload)

Each letter is recorded a maximum of once in either direction.

§orig: Flow

Originator flow.

§resp: Flow

Responder flow.

Implementations§

Source§

impl Connection

Source

pub fn client(&self) -> SocketAddr

Returns the client (originator) socket address.

Source

pub fn server(&self) -> SocketAddr

Returns the server (responder) socket address.

Source

pub fn total_pkts(&self) -> u64

Returns the total number of packets observed in the connection.

Source

pub fn total_bytes(&self) -> u64

Returns the total number of payload bytes observed, excluding those from malformed packets.

Source

pub fn history(&self) -> String

Returns the connection history.

Trait Implementations§

Source§

impl Debug for Connection

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Display for Connection

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Serialize for Connection

Source§

fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
where S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl Subscribable for Connection

Source§

type Tracked = TrackedConnection

Source§

fn level() -> Level

Returns the subscription level.
Source§

fn parsers() -> Vec<ConnParser>

Returns a list of protocol parsers required to parse the subscribable type.
Source§

fn process_packet( mbuf: Mbuf, subscription: &Subscription<'_, Self>, conn_tracker: &mut ConnTracker<Self::Tracked>, )

Process a single incoming packet.

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.