Support for connection (TCP, UDP, or ICMP) analysis.
Adds a framework for registering “connection removal hooks”. All registered hooks for a given connection get run within the
connection_state_removeevent for that connection. This functionality is useful from a performance/scaling concern: if every new protocol-analysis script uses
connection_state_removeto implement its finalization/cleanup logic, then all connections take the performance hit of dispatching that event, even if they aren’t related to that specific protocol.
This script manages the tracking/logging of general information regarding TCP, UDP, and ICMP traffic. For UDP and ICMP, “connections” are to be interpreted using flow semantics (sequence of packets from a source host/port to a destination host/port). Further, ICMP “ports” are to be interpreted as the source port meaning the ICMP message type and the destination port being the ICMP message code.
This script can be used to extract either the originator’s data or the responders data or both. By default nothing is extracted, and in order to actually extract data the
c$extract_respvariable must be set to
T. One way to achieve this would be to handle the
connection_establishedevent elsewhere and set the
extract_respoptions there. However, there may be trouble with the timing due to event queue delay.
This script does not work well in a cluster context unless it has a remotely mounted disk to write the content files to.
Adjust the inactivity timeouts for interactive services which could very possibly have long delays between packets.
Implements a generic way to poll connections looking for certain features (e.g. monitor bytes transferred). The specific feature of a connection to look for, the polling interval, and the code to execute if the feature is found are all controlled by user-defined callback functions.
Implements a generic API to throw events when a connection crosses a fixed threshold of bytes or packets.