RE: [Ntop] sessions

Thu, 29 May 2003 06:23:01 -0700 

No.

Sessions are purged after a decent interval of inactivity (2m or 4m) or
based on globals-defines.h flags (PARM_HOST_PURGE_MINIMUM_IDLE and
PARM_SESSION_PURGE_MINIMUM_IDLE) or in 1..2 minutes if ntop doesn't see data
on both sides of the session, or immediately if the session state is set to
TIMEOUT.

(see sessions.c scanTimedoutTCPSessions() 428ff, handleSession() 505ff, and
1747ff)

However, I think the code for the TIMEOUT is wrong:

    if((theSession->sessionState == FLAG_STATE_FIN2_ACK2)
       || (tp->th_flags & TH_RST)) /* abortive release */ {
      if(theSession->sessionState == FLAG_FLAG_STATE_SYN_ACK) {
        /*
          Rcvd RST packet before to complete the 3-way handshake.
          Note that the message is emitted only of the reset is received
          while in FLAG_FLAG_STATE_SYN_ACK. In fact if it has been received
in
          FLAG_STATE_SYN this message has not to be emitted because this is
          a rejected session.
        */
        if(myGlobals.enableSuspiciousPacketDump) {
          traceEvent(CONST_TRACE_WARNING, "TCP session [%s:%d]<->[%s:%d]
reset by %s "
                     "without completing 3-way handshake",
                     srcHost->hostSymIpAddress, sport,
                     dstHost->hostSymIpAddress, dport,
                     srcHost->hostSymIpAddress);
          dumpSuspiciousPacket(actualDeviceId);
        }
      }

      theSession->sessionState = FLAG_STATE_TIMEOUT;
      updateUsedPorts(srcHost, dstHost, sport, dport,

(u_int)(theSession->bytesSent.value+theSession->bytesRcvd.value));

      if(sport == 80)
        updateHTTPVirtualHosts(theSession->virtualPeerName, srcHost,
                               theSession->bytesSent,
theSession->bytesRcvd);
      else
        updateHTTPVirtualHosts(theSession->virtualPeerName, dstHost,
                               theSession->bytesRcvd,
theSession->bytesSent);
    }

I *think* that the state setting should be above the } (i.e. if we received
the RST) not always...  otherwise, every finished session -> TIMEOUT and
gets immediately purged.  But its more involved than just that... or is it?

-----Burton


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Dominique Lalot
Sent: Wednesday, May 28, 2003 12:38 AM
To: [EMAIL PROTECTED]
Subject: [Ntop] sessions


Hello,

I don't understand the way the sessions are working.
On some machine, I'm able to see sessions, on some other not.
Are the session tracked only for known ports?.

Thanks

Dominique

_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to