Merge pull request #335 from avast/stream-syn

Fix detection of a new TCP flow
2026-01-22 18:25:57 +01:00 · 2019-03-20 10:55:44 -07:00
parent 0573808aeb 62a803c55c
commit 86b505f998
1 changed files with 2 additions and 1 deletions
--- a/src/tcp_ip/stream_follower.cpp
+++ b/src/tcp_ip/stream_follower.cpp
@@ -84,7 +84,8 @@ void StreamFollower::process_packet(PDU& packet, const timestamp_type& ts) {
    if (iter == streams_.end()) {
        // Start tracking if they're either SYNs or they contain data (attach
        // to an already running flow).
-        const bool is_syn = tcp->has_flags(TCP::SYN);
+        // Start on client's SYN, not on server's SYN+ACK
+        const bool is_syn = tcp->has_flags(TCP::SYN) && !tcp->has_flags(TCP::ACK);
        if (is_syn || (attach_to_flows_ && tcp->find_pdu<RawPDU>() != 0)) {
            iter = streams_.insert(make_pair(identifier, Stream(packet, ts))).first;
            iter->second.setup_flows_callbacks();