+- FEATURE: Add comprehensive metrics for capture and TLS parser monitoring
+- Capture metrics: packets_received, packets_sent, packets_dropped (atomic counters)
+- Parser metrics: retransmit_count, gap_detected_count, buffer_exceeded_count, segment_exceeded_count
+- New GetStats() method on Capture interface for capture statistics
+- New GetMetrics() method on Parser interface for parser statistics
+- Add DefaultMaxHelloSegments constant (100) to prevent memory leaks from fragmented handshakes
+- Add Segments field to ConnectionFlow for per-flow segment tracking
+- Increase DefaultMaxTrackedFlows from 50000 to 100000 for high-traffic scenarios
+- Improve TCP reassembly: better handling of retransmissions and sequence gaps
+- Memory leak prevention: limit segments per flow and buffer size
+- Aggressive flow cleanup: clean up JA4_DONE flows when approaching flow limit
+- Lock ordering fix: release flow.mu before acquiring p.mu to avoid deadlocks
+- Exclude IPv6 link-local addresses (fe80::) from local IP detection
+- Improve error logging with detailed connection and TLS extension information
+- Add capture diagnostics logging (interface, link_type, local_ips, bpf_filter)
+- Fix false positive retransmission counter when SYN packet is missed
+- Fix gap handling: reset sequence tracking instead of dropping flow
+- Fix extractTLSExtensions: return error details with basic TLS info for debugging
- Change net.DialTimeout from "unix" to "unixgram"
- Fixes "protocol wrong type for socket" error
- DGRAM sockets are connectionless, better suited for log shipping
- Update test to use net.ListenUnixgram instead of net.Listen
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Add FileWriterOption type and WithFileErrorCallback option
- Add reportError method to FileWriter for error reporting
- Update Builder to propagate error callback to file writers
- File write errors now logged via the same callback mechanism
- Helps diagnose permission or disk space issues
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- config.yml.example: Unix socket enabled by default, stdout commented out
- internal/output/writers.go: Remove all internal logging from UnixSocketWriter
and FileWriter - only LogRecord JSON data is sent to outputs
- architecture.yml: Update description to mention 'socket UNIX par défaut'
- packaging/rpm/ja4sentinel.spec: Bump version to 1.1.1, update changelog
Diagnostic logs (error, debug, warning) now only go to stdout when enabled.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Add Reopenable interface in api/types.go for log rotation support
- Add FileWriter.Reopen() method to reopen log files after rotation
- Add MultiWriter.Reopen() method to propagate rotation to all writers
- Update main.go to handle SIGHUP signal for systemctl reload
- Add logrotate configuration file (packaging/logrotate/ja4sentinel)
- Update systemd service with ExecReload for graceful rotation
- Update architecture.yml with logrotate documentation
- Update RPM spec and Dockerfile.package to include logrotate files
- Bump version to 1.1.0
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
New features:
- Extract SNI (Server Name Indication) from TLS ClientHello
- Extract ALPN (Application-Layer Protocol Negotiation) protocols
- Detect TLS version from ClientHello using tlsfingerprint library
- Add ConnID field for TCP flow correlation
- Add SensorID field for multi-sensor deployments
- Add SynToCHMs timing field for behavioral detection
- Add AsyncBuffer configuration for output queue sizing
Architecture changes:
- Remove JA4Hash from LogRecord (JA4 format includes its own hash portions)
- Update api.TLSClientHello with new TLS metadata fields
- Update api.LogRecord with correlation, TLS, and timing fields
- Ensure 100% compliance with architecture.yml specification
Tests:
- Add unit tests for TLS extension extraction (SNI, ALPN, Version)
- Update tests for new LogRecord schema without JA4Hash
- Add tests for AsyncBuffer configuration
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
