[Zeek] tcp partial connections

[Jon Siwek]

On Tue, Dec 3, 2019 at 2:14 AM Palumbo Mauro <mauro.palumbo at aizoon.it> wrote:

> As I would like to get a better understanding of what is going on, I examined a single tcp+http connection in more details. Zeek starts processing it correctly at first, there is the tcp handshake and the first GET/POST are logged correctly. Then Zeek stops processing the http traffic. By debugging, I noticed that in the middle of the conn, zeek calls again the ctor of the tcp analyzer and and as a consequence resets "is_partial" and other variables. Again from debugging it seems this happens because of the timer TCPConnectionExpireTimer is dispatched at a certain point.
>
> Is this what you would expect in the middle of a conn? It doesn't seem to me that there is a long inactivity on this conn.

Hard to say without looking directly at a pcap which reproduces the
behavior, but yes, there do exist various inactivity timers you might
expect/suspect to interfere or cause things like that to happen.  You
might look more closely at TCP_Analyzer::ExpireTimer() to find which
condition is being met and see if it makes sense for the particular
connection(s).  You'll also find out from that whether there's
particular timeout interval options to try tuning for your use-case.
E.g. the relevant ones look like they're 5-6 seconds by default:
"tcp_SYN_timeout", "tcp_session_timer", and "tcp_connection_linger".

- Jon