output-json-flow: display bypass method

In the case of a bypassed flow we add a 'bypass' key that can be 'local' or 'capture'. This will allow the user to know if capture bypass method is failing by looking at the 'bypass' key.
OISF · Sep 28, 2016 · 3ca663d · 3ca663d
1 parent e6bac99
commit 3ca663d
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/src/output-json-flow.c b/src/output-json-flow.c
@@ -219,8 +219,24 @@ static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
         state = "established";
     else if (f->flow_end_flags & FLOW_END_FLAG_STATE_CLOSED)
         state = "closed";
-    else if (f->flow_end_flags & FLOW_END_FLAG_STATE_BYPASSED)
+    else if (f->flow_end_flags & FLOW_END_FLAG_STATE_BYPASSED) {
         state = "bypassed";
+        int flow_state = SC_ATOMIC_GET(f->flow_state);
+        switch (flow_state) {
+            case FLOW_STATE_LOCAL_BYPASSED:
+                json_object_set_new(hjs, "bypass",
+                        json_string("local"));
+                break;
+            case FLOW_STATE_CAPTURE_BYPASSED:
+                json_object_set_new(hjs, "bypass",
+                        json_string("capture"));
+                break;
+            default:
+                SCLogError(SC_ERR_INVALID_VALUE,
+                           "Invalid flow state: %d, contact developers",
+                           flow_state);
+        }
+    }
 
     json_object_set_new(hjs, "state",
             json_string(state));