static struct tcp_stream *mapi_find_stream(struct tcphdr * this_tcphdr, struct ip * this_iphdr, int *from_client) { struct tuple4 this_addr, reversed; struct tcp_stream *a_tcp; this_addr.source = ntohs(this_tcphdr->source); this_addr.dest = ntohs(this_tcphdr->dest); this_addr.saddr = this_iphdr->ip_src.s_addr; this_addr.daddr = this_iphdr->ip_dst.s_addr; a_tcp = nids_find_tcp_stream(&this_addr); if (a_tcp) { *from_client = 1; return a_tcp; } reversed.source = ntohs(this_tcphdr->dest); reversed.dest = ntohs(this_tcphdr->source); reversed.saddr = this_iphdr->ip_dst.s_addr; reversed.daddr = this_iphdr->ip_src.s_addr; a_tcp = nids_find_tcp_stream(&reversed); if (a_tcp) { *from_client = 0; return a_tcp; } return 0; }
static void sessions_del(struct session *elt) { struct tcp_stream *tcp; if (NULL == elt) return; --sessions_count; if ((bonus_time || verbose) && (!elt->parent_id || verbose > 1)) printf("Session #%d (%s) closed at %s (active sessions total: %d)\n", elt->parent_id ? elt->parent_id : elt->id, type2string(elt->type, 1), timestamp_to_string(&nids_last_pcap_header->ts), sessions_count); if (NULL != elt->next) elt->next->prev = elt->prev; if (NULL != elt->prev) elt->prev->next = elt->next; else first_session = elt->next; /* * If this is a TCP connection, tell libnids we do not * want to be notified of new data in this connection. * * We must not do it when the stream is already in a * closing state (NIDS_CLOSE, NIDS_TIMED_OUT, NIDS_RESET * or NIDS_EXITING) because nids_free_tcp_stream() would * then be called twice, resulting in a crash. */ if ((elt->type & TYPE_TCP) && (NULL != (tcp = nids_find_tcp_stream(&elt->addr))) && (NIDS_DATA == tcp->nids_state)) nids_free_tcp_stream(tcp); # ifdef HAVE_LIBOSIPPARSER2 /* * If this is a SIP session, finally free the memory * allocated for the call ID (couldn't be done before) */ if (elt->type & TYPE_SIP) if (NULL != elt->u.sip_params.call_id) osip_call_id_free(elt->u.sip_params.call_id); # endif dumper_close(elt->dumper); free(elt); }