nfstream
nfstream copied to clipboard
Published
20 hours ago •
nfstream
nfstream
Flow direction may change after being expired by the active timeout
-
Flow direction: The direction of a flow is determined by the first received packet. In case of TCP flow expiration by the active timeout, the next flow may not preserve the correct direction when the first packet is coming from the destination host (a packet with ACK flag from).
-
TCP flows: TCP flow might be initiated after capturing SYN packets and their acknowledgment from both directions. This can be applied to flow termination as well using FIN packets and their ACK packets.
The TCP flow expiration based on the FIN packet might be implemented using NFPlugin as follows:
class FlowTCPTermination(NFPlugin):
"""
This pluguin close TCP connection between two hosts based on two bidirection FIN packets
Attributes
----------
This pluguin has no flow attribute and use direction_first_fin to
store the direction that initiate the flow termination
"""
def on_init(self, packet, flow):
self.direction_first_fin = -1 # variable that stores direction of first FIN packet
def on_update(self, packet, flow):
if flow.protocol==6:
if packet.fin == 1 and self.direction_first_fin == -1: # stroe direction of fisrt FIN of the flow
self.direction_first_fin = packet.direction
if packet.rst == 1:
flow.expiration_id = -1
elif (flow.src2dst_fin_packets != 0) and (flow.dst2src_fin_packets != 0) and (packet.ack == 1) and (self.direction_first_fin == packet.direction): # IF flow contains FIN packets in both directions
# and recieve ACK from the host that sent first FIN
# close TCP connection
flow.expiration_id = -1
else:
pass
else:
pass
@AbdelkaderMH Thanks. Are you interested in providing us with a PR for the FlowTCPTermination Plugin and its tests?
Zied
