[Os-sim-devel] tcptrack problem

[W. <joe...@ei...>]

Hi all,

I found something strange in tcptrack data processing. In a directive, i
use a tcptrack rule like this:

<rule type=3D"monitor" name=3D"More than 30 sec. persistence"
reliability=3D"+5" from=3D"2:DST_IP" to=3D"2:SRC_IP" port_from=3D"2:DST_POR=
T"
port_to=3D"2:SRC_PORT"
  plugin_id=3D"2006" plugin_sid=3D"3" condition=3D"ge" value=3D"30"
interval=3D"60" time_out=3D"70" absolute=3D"true"/>=20

When this rule get processed by the server, it send the tcptrack
processing request to the agent. Then the agent does some polling
request to tcptrack software using it's loopback... On the agent debug
output you can see this type of info:

 (**)  pyossim.Scheduler (2005-09-26 14:57:36): MonitorList : processing
element (2/5)...
 (<-)  pyossim.Monitor (2005-09-26 14:57:36):   Processing watch-rule
(id=3D2006 sid=3D3)
 (<-)  pyossim.Monitor (2005-09-26 14:57:36):   Timeout at 42 seconds
 (=3D>)  pyossim.MonitorTcptrack (2005-09-26 14:57:36):
10.192.73.206:49989 10.192.73.169:9999
 (=3D>)  pyossim.MonitorTcptrack (2005-09-26 14:57:36):   209 5 5

 (**)  pyossim.Scheduler (2005-09-26 14:57:38): MonitorList : processing
element (2/5)...
 (<-)  pyossim.Monitor (2005-09-26 14:57:38):   Processing watch-rule
(id=3D2006 sid=3D3)
 (<-)  pyossim.Monitor (2005-09-26 14:57:38):   Timeout at 40 seconds
 (=3D>)  pyossim.MonitorTcptrack (2005-09-26 14:57:38):
10.192.73.206:49989 10.192.73.169:9999
 (=3D>)  pyossim.MonitorTcptrack (2005-09-26 14:57:38):   209 5 7

 (**)  pyossim.Scheduler (2005-09-26 14:57:40): MonitorList : processing
element (2/5)...
 (<-)  pyossim.Monitor (2005-09-26 14:57:40):   Processing watch-rule
(id=3D2006 sid=3D3)
 (<-)  pyossim.Monitor (2005-09-26 14:57:40):   Timeout at 38 seconds
 (=3D>)  pyossim.MonitorTcptrack (2005-09-26 14:57:40):
10.192.73.206:49989 10.192.73.169:9999
 (=3D>)  pyossim.MonitorTcptrack (2005-09-26 14:57:40):   209 5 9

 here the agent send queries to tcptrack ((=3D>)  pyossim.MonitorTcptrack
(2005-09-26 14:57:40):   10.192.73.206:49989 10.192.73.169:9999) and get
informations back like this: (=3D>)  pyossim.MonitorTcptrack (2005-09-26
14:57:40):   209 5 9

My problem is coming from the tcptrack sid=3D3 rule (Session Duration).
Indeed, this value look like the third one (the first one increase when
you send some data through the monitored tcp connection)... and
MonitorTcptrack.py comments look like this:

# obtain tcptrack sid from array index
            # 1: Data Sent
            # 2: Data Recv
            # 3: Session Duration
            #

This third value is always increasing even if the tcp connection is
closed (i'm checking tcp status with # netstat -alp --inet) !! The only
way to stop increasing this value is to send data through the tcp
connection and the value get reset to 0 and start again to increase
until you send again some datas... Then i looked to Monitor.py and
everything (values check) look ok ! so i maybe think that the problem
comes from changes made in tcptrack ...=20
With this strange behaviour and the rule describe on top of this mail,
the rule is always matched if i don't send data through the monitored
tcp connection (which reset the value) !!

I will be really happy to have some informations about it cause this
plugin is really useful to set up good correlation directive !!

Thanks for you help,

Jo=EBl.W