search

utoni / nDPId

Tiny nDPI based deep packet inspection daemons / toolkit.
GNU General Public License v3.0
67 stars 15 forks source link

Info regarding detection of **VERY_LONG** lasting connections #14

Closed verzulli closed 2 years ago

verzulli commented 2 years ago

While analyzing flow-event data received by nDPId I noticed that for an OpenVpn connection that I usually launch at startup on my notebook and last for several days... I receive:

Is it a normal behaviour? Are there some "expiring" long-lasting flows feature?

Of course, I can handle the "long-lasting 'live' flows" on my side, within my analyzer.... But I'm curious if there is something I'm missing regarding nDPId

Thanks!

utoni commented 2 years ago

While analyzing flow-event data received by nDPId I noticed that for an OpenVpn connection that I usually launch at startup on my notebook and last for several days... I receive:

* a `NEW` flow event;

* a `GUESSED` flow event (OpenVPN, based on UDP/1194);

* a `DETECTED` flow event (OpenVPN)

* ...and PLENTY of `UPDATE` event. Currently I count 612 (six hundreds!) `UPDATE`, each one sent ~50 seconds.

Is it a normal behaviour? Are there some "expiring" long-lasting flows feature?

Yes, normal behavior. Nope, no expiration implemented yet. But if you have any idea how to improve that behavior, please tell me. =)

Of course, I can handle the "long-lasting 'live' flows" on my side, within my analyzer.... But I'm curious if there is something I'm missing regarding nDPId

Nope, you did not miss anything.

Thanks!

:heart:

verzulli commented 2 years ago

Ok. Thanks for explaining.

I think that long-lasting connections are really important from a security point of view. So I'll surely try to handle them on my side (eg.: raising an additional/external events, after receiving N consecutive UPDATE (with N ~10, 20 or similar...)

I'm not sure if --from nDPId point of view-- this should be implemented as... just raising an UPDATE is enough (again: from its point of view...).