Struct retina_datatypes::connection::ConnRecord

pub struct ConnRecord {
    pub five_tuple: FiveTuple,
    pub first_seen_ts: Instant,
    pub second_seen_ts: Instant,
    pub last_seen_ts: Instant,
    pub max_inactivity: Duration,
    pub history: Vec<u8>,
    pub orig: Flow,
    pub resp: Flow,
}

Tracks a connection record throughout its lifetime.

Note

Internal connection state is an associated type of a pub trait, and therefore must also be public. Documentation is hidden by default to avoid confusing users.

Fields

five_tuple: FiveTuple

The connection 5-tuple.

first_seen_ts: Instant

Timestamp of the first packet.

Remarks

This represents the time Retina observed the first packet in the connection, and does not reflect timestamps read from a packet capture in offline analysis.

second_seen_ts: Instant

Timestamp of the second packet (approximate).

last_seen_ts: Instant

Timestamp of the last packet (approximate).

max_inactivity: Duration

Maximum duration of inactivity (the maximum time between observed segments).

history: Vec<u8>

This represents a summary of the connection history in the order the packets were observed, with letters encoded as a vector of bytes. This is a simplified version of state history in Zeek, and the meanings of each letter are similar: If the event comes from the originator, the letter is uppercase; if the event comes from the responder, the letter is lowercase.

• S: a pure SYN with only the SYN bit set (may have payload)
• H: a pure SYNACK with only the SYN and ACK bits set (may have payload)
• A: a pure ACK with only the ACK bit set and no payload
• D: segment contains non-zero payload length
• F: the segment has the FIN bit set (may have other flags and/or payload)
• R: segment has the RST bit set (may have other flags and/or payload)

Each letter is recorded a maximum of once in either direction.

orig: Flow

Originator flow.

resp: Flow

Responder flow.

Implementations

impl ConnRecord

pub fn client(&self) -> SocketAddr

Returns the client (originator) socket address.

pub fn server(&self) -> SocketAddr

Returns the server (responder) socket address.

pub fn total_pkts(&self) -> u64

Returns the total number of packets observed in the connection.

pub fn total_bytes(&self) -> u64

Returns the total number of payload bytes observed, excluding those from malformed packets.

pub fn history(&self) -> String

Returns the connection history.

pub fn duration(&self) -> Duration

Returns te duration of the connection.

Remarks

This does not represent the actual duration of the connection in offline analysis. It approximates the elapsed time between observation of the first and last observed packet in the connection.

pub fn time_to_second_packet(&self) -> Duration

The duration (approximate) between the first and second packets.

Trait Implementations

impl Debug for ConnRecord

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Display for ConnRecord

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Serialize for ConnRecord

fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>

where S: Serializer,

Serialize this value into the given Serde serializer.

impl Tracked for ConnRecord

fn new(first_pkt: &L4Pdu) -> Self

Initialize internal data; called once per connection. Note first_pkt will also be delivered to update.

fn clear(&mut self)

Clear internal data; called if connection no longer matches filter that requires the Tracked type.

fn update(&mut self, pdu: &L4Pdu, reassembled: bool)

New packet in connection received (or reassembled, if reassembled=true) Note this may be invoked both pre- and post-reassembly; types should check reassembled to avoid double-counting.

fn stream_protocols() -> Vec<&'static str>

The stream protocols (lower-case) required for this datatype. See IMPLEMENTED_PROTOCOLS in retina_core for list of supported protocols.