0

I've developed a network traffic classification program in C. I used the 5 tuple to determine a flow. The 5 tuple is:

  1. source adress
  2. destination adress
  3. source port
  4. destination port
  5. protocol(tcp,udp,dns etc)

However, in addition to determine a flow, I have to decide the time that flow is closed. Firstly, I'm planning to use FIN flag in TCP but I have a issue for this:

It can be multiple packets which include FIN flag in the flow . When do I decide that flow is closed completely?

Secondly, if I am going to use timeout mechanism to determine that flow is closed/closing, what should be the time threshold?

user207421
  • 305,947
  • 44
  • 307
  • 483
Anamort
  • 341
  • 4
  • 17
  • 1-5 is a single 5-tuple, not '5 tuples'. The protocol is either TCP or UDP. DNS is an application protocol, not a transport protocol. You won't get multiple FIN packets unless the corresponding ACK went missing. – user207421 Apr 18 '15 at 02:21

1 Answers1

1

A FIN flag indicates that the sender is done and will not be sending any more. The other side is free to continue sending or also close or do nothing. This is referred to as a "half closed" connection. Once a FIN has passed both ways, the connection is "closed".

If a host doesn't want to receive any more, it simply breaks the connection completely and responds only with a RST for all incoming packets. It would be "bad form", though, to do so without first sending a FIN indicating the close in a nice way.

As for a timeout... TCP generally doesn't have an "idle timeout". If you're referring to a "no response timeout", it depends on the configuration of the hosts. You may get a RST if a host aborts a connection due to a timeout.

Brian White
  • 8,332
  • 2
  • 43
  • 67