feat(flow): add ICMP echo flow extraction and correlation#27
Merged
Conversation
Implement stateful ICMP flow tracking in the conversation extraction engine: - New IcmpFlowState struct tracking echo request/reply pairs via identifier - Tracks icmp_type, icmp_code, identifier, request_count, reply_count, last_seq - Supports both ICMP and ICMPv6 (types 8/0, 128/129) - Non-echo ICMP types (error messages) tracked via (type, code) as port substitute - Update flow key extraction (key.rs): - Echo packets use identifier symmetrically (id, id) to ensure bidirectional canonicalization - Guarantees request and reply hash to same flow key regardless of direction - Extended ProtocolState enum with Icmp and Icmpv6 variants - Added ICMP packet processing to ConversationTable.ingest_packet() - Python API: new Conversation properties for ICMP fields (icmp_type, icmp_code, icmp_identifier, icmp_request_count, icmp_reply_count, icmp_last_seq) All properties return None for non-ICMP flows for clean Python API. Tests: 5 new ICMP-specific tests + all existing 19 flow tests pass - Echo request/reply correlation - Multiple sequences in same flow - Different identifiers create separate flows - Non-echo ICMP tracking - Python getters return None for non-ICMP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implement stateful ICMP flow tracking in the conversation extraction engine:
New IcmpFlowState struct tracking echo request/reply pairs via identifier
Update flow key extraction (key.rs):
Extended ProtocolState enum with Icmp and Icmpv6 variants
Added ICMP packet processing to ConversationTable.ingest_packet()
Python API: new Conversation properties for ICMP fields (icmp_type, icmp_code, icmp_identifier, icmp_request_count, icmp_reply_count, icmp_last_seq)
All properties return None for non-ICMP flows for clean Python API.
Tests: 5 new ICMP-specific tests + all existing 19 flow tests pass