[Zeek] R: tcp partial connections

[Palumbo Mauro]

Actually the pcap file I was looking into had only half the traffic in it (only one direction). That's why I was seeing a quite odd behavior. After fixing this, zeek disables the http analyzer when it detects some gaps in the TCP flux, i.e. some packets are missing. This makes much more sense.

Thanks again,
Mauro 

-----Messaggio originale-----
Da: Jon Siwek [mailto:jsiwek at corelight.com] 
Inviato: martedì 3 dicembre 2019 19:40
A: Palumbo Mauro <mauro.palumbo at aizoon.it>
Cc: zeek at zeek.org
Oggetto: Re: [Zeek] tcp partial connections

On Tue, Dec 3, 2019 at 2:14 AM Palumbo Mauro <mauro.palumbo at aizoon.it> wrote:

> As I would like to get a better understanding of what is going on, I examined a single tcp+http connection in more details. Zeek starts processing it correctly at first, there is the tcp handshake and the first GET/POST are logged correctly. Then Zeek stops processing the http traffic. By debugging, I noticed that in the middle of the conn, zeek calls again the ctor of the tcp analyzer and and as a consequence resets "is_partial" and other variables. Again from debugging it seems this happens because of the timer TCPConnectionExpireTimer is dispatched at a certain point.
>
> Is this what you would expect in the middle of a conn? It doesn't seem to me that there is a long inactivity on this conn.

Hard to say without looking directly at a pcap which reproduces the behavior, but yes, there do exist various inactivity timers you might expect/suspect to interfere or cause things like that to happen.  You might look more closely at TCP_Analyzer::ExpireTimer() to find which condition is being met and see if it makes sense for the particular connection(s).  You'll also find out from that whether there's particular timeout interval options to try tuning for your use-case.
E.g. the relevant ones look like they're 5-6 seconds by default:
"tcp_SYN_timeout", "tcp_session_timer", and "tcp_connection_linger".

- Jon