From 62a803c55c89c0180eb688d97e22dea3d171ec71 Mon Sep 17 00:00:00 2001
From: Martin Beran <martin.beran@avast.com>
Date: Mon, 18 Mar 2019 13:44:51 +0100
Subject: [PATCH] fix detection of a new TCP stream

---
 src/tcp_ip/stream_follower.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/tcp_ip/stream_follower.cpp b/src/tcp_ip/stream_follower.cpp
index 8165f1c..a37ebf2 100644
--- a/src/tcp_ip/stream_follower.cpp
+++ b/src/tcp_ip/stream_follower.cpp
@@ -84,7 +84,8 @@ void StreamFollower::process_packet(PDU& packet, const timestamp_type& ts) {
     if (iter == streams_.end()) {
         // Start tracking if they're either SYNs or they contain data (attach
         // to an already running flow).
-        const bool is_syn = tcp->has_flags(TCP::SYN);
+        // Start on client's SYN, not on server's SYN+ACK
+        const bool is_syn = tcp->has_flags(TCP::SYN) && !tcp->has_flags(TCP::ACK);
         if (is_syn || (attach_to_flows_ && tcp->find_pdu<RawPDU>() != 0)) {
             iter = streams_.insert(make_pair(identifier, Stream(packet, ts))).first;
             iter->second.setup_flows_callbacks();