SaveConversation will save TCP / UDP conversations to disk this also invokes the harvesters on the conversation banner The communityID parameter is the Corelight Community ID v1 for the connection, calculated once at the stream level and passed through to harvesters.
(proto string, conversation core.DataFragments, ident string, firstPacket time.Time, transport gopacket.Flow, communityID string)
| 68 | // The communityID parameter is the Corelight Community ID v1 for the connection, |
| 69 | // calculated once at the stream level and passed through to harvesters. |
| 70 | func SaveConversation(proto string, conversation core.DataFragments, ident string, firstPacket time.Time, transport gopacket.Flow, communityID string) error { |
| 71 | // prevent processing zero bytes |
| 72 | if len(conversation) == 0 || conversation.Size() == 0 { |
| 73 | return nil |
| 74 | } |
| 75 | |
| 76 | // fmt.Println("saving conv", conversation.size(), ident) |
| 77 | |
| 78 | banner := createBannerFromConversation(conversation) |
| 79 | secret.RunHarvesters(banner, transport, ident, firstPacket, communityID) |
| 80 | |
| 81 | // Run network discovery extractors and enrich device profiles |
| 82 | if DeviceEnricher != nil { |
| 83 | srcIP := conversation.SourceIP() |
| 84 | if srcIP != "" { |
| 85 | for _, r := range discovery.RunDiscovery(banner, transport, ident, firstPacket, srcIP) { |
| 86 | DeviceEnricher(r.SourceIP, r.Hostnames, r.DeviceTypes, r.Roles, r.OS) |
| 87 | } |
| 88 | } |
| 89 | } |
| 90 | |
| 91 | if !decoderconfig.Instance.SaveConns { |
| 92 | return nil |
| 93 | } |
| 94 | |
| 95 | var ( |
| 96 | typ = getServiceName(banner, transport, proto) |
| 97 | |
| 98 | // path for storing the data |
| 99 | root = filepath.Join(decoderconfig.Instance.Out, strings.ToLower(proto), typ) |
| 100 | |
| 101 | // file basename |
| 102 | base = filepath.Clean(path.Base(utils.CleanIdent(ident))) + binaryFileExtension |
| 103 | ) |
| 104 | |
| 105 | // make sure root path exists |
| 106 | err := os.MkdirAll(root, defaults.DirectoryPermission) |
| 107 | if err != nil { |
| 108 | reassemblyLog.Warn("failed to create directory", |
| 109 | zap.String("path", root), |
| 110 | zap.Int("perm", defaults.DirectoryPermission), |
| 111 | ) |
| 112 | } |
| 113 | |
| 114 | base = path.Join(root, base) |
| 115 | |
| 116 | reassemblyLog.Info("saveConversation", zap.String("base", base)) |
| 117 | |
| 118 | Stats.Lock() |
| 119 | switch proto { |
| 120 | case protoTCP: |
| 121 | Stats.SavedTCPConnections++ |
| 122 | case protoUDP: |
| 123 | Stats.SavedUDPConnections++ |
| 124 | } |
| 125 | Stats.Unlock() |
| 126 | |
| 127 | retry: |
nothing calls this directly
no test coverage detected