So, I am trying to figure out how I can tap in and find out information
about the active sessions. It looks like I can check the rules I
generate against the active sessions. Perhaps if I create another thread
and have a timer that fires off every second. Then check the rules
against the connections. That's a O(n^2), but it will work for now.
Just sharing my observations below.
It looks like each session is identified by the combination of the
following.
idx = computeIdx(&srcHost->hostIpAddress, &dstHost->hostIpAddress,
sport, dport) % MAX_TOT_NUM_SESSIONS
The data about a session is stored in a struct IPSession.
And, it looks like a session has a time attribute.
time_t firstSeen
Now, to figure out what happens when the session is closed by the
client. It looks like there is a sessionState variable, which is the
following.
/*
* TCP Session State Transition
*
* Flags for sessionState in typedef struct ipSession {}
*/
#define FLAG_STATE_SYN 0
#define FLAG_STATE_SYN_ACK 1
#define FLAG_STATE_ACK 2
#define FLAG_STATE_ACTIVE FLAG_STATE_ACK
#define FLAG_STATE_BEGIN FLAG_STATE_ACTIVE
#define FLAG_STATE_FIN1_ACK0 3
#define FLAG_STATE_FIN1_ACK1 4
#define FLAG_STATE_FIN2_ACK0 5
#define FLAG_STATE_FIN2_ACK1 6
#define FLAG_STATE_FIN2_ACK2 7
#define FLAG_STATE_TIMEOUT 8
#define FLAG_STATE_END 9
brian
--
Brian Lavender
http://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
