Reputation: 341
Determine the closed/closing flow in the network traffic
I've developed a network traffic classification program in C. I used the 5 tuple to determine a flow. The 5 tuple is:
- source adress
- destination adress
- source port
- destination port
- protocol(tcp,udp,dns etc)
However, in addition to determine a flow, I have to decide the time that flow is closed. Firstly, I'm planning to use FIN flag in TCP but I have a issue for this:
It can be multiple packets which include FIN flag in the flow . When do I decide that flow is closed completely?
Secondly, if I am going to use timeout mechanism to determine that flow is closed/closing, what should be the time threshold?
Upvotes: 0
Views: 71
Answers (1)
Reputation: 8716
A FIN flag indicates that the sender is done and will not be sending any more. The other side is free to continue sending or also close or do nothing. This is referred to as a "half closed" connection. Once a FIN has passed both ways, the connection is "closed".
If a host doesn't want to receive any more, it simply breaks the connection completely and responds only with a RST for all incoming packets. It would be "bad form", though, to do so without first sending a FIN indicating the close in a nice way.
As for a timeout... TCP generally doesn't have an "idle timeout". If you're referring to a "no response timeout", it depends on the configuration of the hosts. You may get a RST if a host aborts a connection due to a timeout.
Upvotes: 1
Related Questions
- Check connection open or closed ?(in C in Linux)
- TCP flow extraction
- Network and Transport layer functionalities on Captured packets
- Number of TCP connections after close() and exit() calls
- how to know which is the last TCP segment received by the server when data is transferring?
- Knowning when a NetworkStream is closed
- Determine the state of a TCP socket
- How'd I determine where one packet ends and where another one starts
- How can I check Recv or send point of the socket is shutdown
- Testing for a closed socket