Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feature(network): add network flow end base for events
- add the base for keeping flow states (for future stats) - flow states allow knowing end flows for tcp and udp
- Loading branch information
1 parent
34b6682
commit 7fa222f
Showing
11 changed files
with
674 additions
and
328 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
|
||
# NetFlowTCPEnd | ||
|
||
## Intro | ||
|
||
NetFlowTCPEnd - An event derived from base network raw event, designed to | ||
monitor the termination of TCP flows. It leverages cgroup skb eBPF programs, | ||
focusing specifically on the TCP protocol's termination phase, and is | ||
instrumental in analyzing IP and TCP headers data to detect the end of TCP | ||
connections. | ||
|
||
## Description | ||
|
||
`NetFlowTCPEnd` utilizes cgroup skb eBPF programs to intercept and analyze raw | ||
network events at the kernel level, with a particular emphasis on the TCP | ||
protocol's termination phase. It processes IP and TCP headers to pinpoint the | ||
conclusion of TCP communication flows. The event identifies the termination of | ||
TCP connections by analyzing the status of TCP flags, primarily focusing on the | ||
FIN and RST flags. | ||
|
||
By examining these flags, `NetFlowTCPEnd` provides valuable insights into the | ||
end of TCP connections, a critical component for comprehensive network | ||
monitoring and security analysis. | ||
|
||
## Arguments | ||
|
||
1. **connectionDirection** (`string`): Indicates whether the terminated connection was 'incoming' or 'outgoing'. | ||
2. **srcIP** (`string`): The source IP address, extracted from the IP header, from the side terminating the connection. | ||
3. **dstIP** (`string`): The destination IP address, obtained from the IP header, of the side receiving the termination. | ||
4. **srcPort** (`uint16`): The source port number, derived from the TCP header. | ||
5. **dstPort** (`uint16`): The destination port number, ascertained from the TCP header. | ||
6. **srcDomains** (`[]string`): Associated domain names for the source IP, resolved using DNS cache. | ||
7. **dstDomains** (`[]string`): Related domain names for the destination IP, determined through DNS cache. | ||
|
||
## Origin | ||
|
||
### Derived from cgroup skb eBPF Programs | ||
|
||
#### Source | ||
|
||
`NetFlowTCPEnd` originates from cgroup skb eBPF programs, enabling the tracing | ||
of raw network packets at the kernel level. This advanced mechanism is adept at | ||
dissecting TCP traffic, particularly focusing on the termination stage of TCP | ||
connections. | ||
|
||
#### Purpose | ||
|
||
The primary aim of `NetFlowTCPEnd` is to provide detailed visibility into the | ||
termination of TCP connections. By concentrating on FIN and RST flags within TCP | ||
headers, it offers an effective and precise approach to identifying the | ||
conclusion of TCP communication flows, crucial for network security and | ||
performance monitoring. | ||
|
||
## Example Use Case | ||
|
||
Network administrators and security experts can use `NetFlowTCPEnd` to monitor | ||
the termination of TCP connections. This capability is essential for detecting | ||
unusual traffic patterns, potential security threats, or abrupt end of | ||
communication, which are vital for ensuring network security and efficiency. | ||
|
||
## Issues | ||
|
||
While `NetFlowTCPEnd` is designed to minimize system overhead, its performance | ||
may vary based on the volume of network traffic and the complexity of monitored | ||
TCP flows. Efficient data management and analysis are key to leveraging the full | ||
potential of this event without affecting system performance adversely. | ||
|
||
> This document was automatically generated by OpenAI and reviewed by a Human. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.