From c3fe0ea16f85e2532e61cb9f6a87d3c520d9f365 Mon Sep 17 00:00:00 2001
From: hayzam <hayzam@difuse.io>
Date: Wed, 11 Feb 2026 15:44:26 +0530
Subject: [PATCH] analyzer: make http3/quic handling more reliable

---
 engine/udp.go | 37 +++++++++++++++++++++++++++++++------
 1 file changed, 31 insertions(+), 6 deletions(-)

diff --git a/engine/udp.go b/engine/udp.go
index 6bea55e..6f3b6e9 100644
--- a/engine/udp.go
+++ b/engine/udp.go
@@ -131,13 +131,25 @@ func (m *udpStreamManager) MatchWithContext(streamID uint32, ipFlow gopacket.Flo
 	rev := false
 	value, ok := m.streams.Get(streamID)
 	if !ok {
-		// New stream
-		value = &udpStreamValue{
-			Stream:  m.factory.New(ipFlow, udp.TransportFlow(), udp, uc),
-			IPFlow:  ipFlow,
-			UDPFlow: udp.TransportFlow(),
+		// Fallback: conntrack IDs can change during early flow lifetime on some systems.
+		// Try to find an existing stream by 5-tuple before creating a new stream.
+		matchedKey, matchedValue, matchedRev, found := m.findByFlow(ipFlow, udp.TransportFlow())
+		if found {
+			value = matchedValue
+			rev = matchedRev
+			if matchedKey != streamID {
+				m.streams.Remove(matchedKey)
+				m.streams.Add(streamID, matchedValue)
+			}
+		} else {
+			// New stream
+			value = &udpStreamValue{
+				Stream:  m.factory.New(ipFlow, udp.TransportFlow(), udp, uc),
+				IPFlow:  ipFlow,
+				UDPFlow: udp.TransportFlow(),
+			}
+			m.streams.Add(streamID, value)
 		}
-		m.streams.Add(streamID, value)
 	} else {
 		// Stream ID exists, but is it really the same stream?
 		ok, rev = value.Match(ipFlow, udp.TransportFlow())
@@ -157,6 +169,19 @@ func (m *udpStreamManager) MatchWithContext(streamID uint32, ipFlow gopacket.Flo
 	}
 }
 
+func (m *udpStreamManager) findByFlow(ipFlow, udpFlow gopacket.Flow) (key uint32, value *udpStreamValue, rev bool, found bool) {
+	for _, k := range m.streams.Keys() {
+		v, ok := m.streams.Peek(k)
+		if !ok || v == nil {
+			continue
+		}
+		if ok2, rev2 := v.Match(ipFlow, udpFlow); ok2 {
+			return k, v, rev2, true
+		}
+	}
+	return 0, nil, false, false
+}
+
 type udpStream struct {
 	info          ruleset.StreamInfo
 	virgin        bool // true if no packets have been processed