ntopng
ntopng copied to clipboard
ntop
Implement Flow Connection State
Implement flow connection state as specified in https://docs.zeek.org/en/master/scripts/base/protocols/conn/main.zeek.html
Possible conn_state values:
S0: Connection attempt seen, no reply. S1: Connection established, not terminated. SF: Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be. REJ: Connection attempt rejected. S2: Connection established and close attempt by originator seen (but no reply from responder). S3: Connection established and close attempt by responder seen (but no reply from originator). RSTO: Connection established, originator aborted (sent a RST). RSTR: Responder sent a RST. RSTOS0: Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder. RSTRH: Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator. SH: Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was “half” open). SHR: Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator. OTH: No SYN seen, just midstream traffic (one example of this is a “partial connection” that was not later closed).
This state needs to be displayed in the flow page, added to ClickHouse (and enhanced search filters), as well exported in flows (e.g. to Kafka) and collected from nProbe via ZMQ.
Proposal:
Create an enum in the Flow class like the following:
Enum ConnectionState { NO_STATE, S0, S1, … }
In the Flow::updateTcpFlags method, a method named 'calculateConnectionState' will use the src2dst_tcp_flags, dst2src_tcp_flags Flow variables. The 'calculateConnectionState' method will select one of the states mentioned before by checking the current TCP flags in the src2dst_tcp_flags and dst2src_tcp_flags with the following logic:
S0: Only SYN in src2dst_tcp_flags; no flags in dst2src_tcp_flags S1: 3whs ok and no FIN in src2dst_tcp_flags and no RST src2dst_tcp_flags SF: 3whs and FIN src2dst_tcp_flags and FIN src2dst_tcp_flags REJ: SYN in src2dst_tcp_flags and RST in dst2src_tcp_flags S2: Was S1 and FIN in src2dst_tcp_flags and no FIN in dst2src_tcp_flags S3: Was S1 and FIN in dst2src_tcp_flags and no FIN in src2dst_tcp_flags RSTO: Was S1 and RST in src2dst_tcp_flags RTSR: RST in dst2src_tcp_flags RSTOS0: SYN and RST in src2dst_tcp_flags; no SYN+ACK in dst2src_tcp_flags RSTRH: SYN+ACK and RST in dst2src_tcp_flags; no SYN in src2dst_tcp_flags SH: SYN and FIN in src2dst_tcp_flags; no SYN+ACK in dst2src_tcp_flags SHR: SYN+ACK and FIN in dst2src_tcp_flags; no SYN in src2dst_tcp_flags OTH: NO SYN in src2dst_tcp_flags and NO SYN in dst2src_tcp_flags
After the selection of the connection state, the 'select_connection_state' method will update the new variable of the Flow class ConnectionState currentConnectionState.
The described states must be divided into major groups:
- Connection Attempted (Attempted) [S0, REJ, RSTOS0, RSTRH, SH, SHR, OTH]
- Connection Established (Established) [S1]
- Connection Closed (Closed) [SF, S2, S3, RSTO, RSTR]
To handle the major states, we could use a new Enum and a new Flow variable and handle them in the same way as the currentConnectionState.
