Note: Our current website is at www.zeek.org. This website is unmaintained and contains outdated information.
Connection Timers
Zeek associates several timers with each connection object using the timers variable. A new timer is appended to that list using the Conn::AddTimer function. The following tables might not be complete, but it’s a start …
class Connection
| Activated when? | Script-level parameter | Timer-Handler | Does what? |
|---|---|---|---|
| TCP, UDP, ICMP: instantiation of a new connection object (TCP, UDP, ICMP) if there is no analyzer associated. | non_analyzed_lifetime | Conn::DeleteTimer | Removes connection |
| UDP, ICMP: instantiation of a new connection object. TCP: as soon as the TCP handshake is complete (state transition in TCP_Endpoint) | tcp_inactivity_timeout, udp_inactivity_timeout, icmp_inactivity_timeout | Conn::InactivityTimer | Removes connection if it was not active since the timer was activated. |
| ? | ? | Conn::StatusUpdateTimer | Generates event connection_status_update event. |
class TCP_Conn
| Activated when? | Script-level parameter | Timer-Handler | Does what? |
|---|---|---|---|
|
tcp_SYN_timeout, tcp_session_timer, tcp_session_timer | TCP_Conn::ExpireTimer | Removes connection if it was inactive for tcp_connection_linger secs and one of the following:
else reschedule with tcp_session_timer |
| Activated when SYN is seen and event connection_attempt has script level handler defined. | tcp_attempt_delay | TCP_Conn::AttemptTimer | Removes connection if one endpoint still did only sent a SYN or SYNACK and the other did not send anything (INACT). Triggers event connection_attempt. |
| Activated if an endpoint did already close and sends a RST. Only activated if event connection_reset has script-level handler defined. | tcp_reset_delay | TCP_conn::ResetTimer | Removes connection. Triggers event connection_reset if connection was not closed by both sides yet. |
| Activated when both sides closed the connection. | tcp_close_delay | TCP_Conn::ConnDeleteTimer | Removes connection. (does not trigger event). |
| Activated when both sides closed the connection and tcp_close_delay is 0 (deactivated). Activated without delay! | TCP_Conn::DeleteTimer | Removes connection. (does not trigger event). | |
| Activated if the first thing an endpoint does is to close the connection (FIN); and the endpoint did not send a RST; and the other endpoint did not close; and the other endpoint is not INACT. | tcp_partial_close_delay | TCP_Conn::PartialCloseTimer | Removes connection if no endpoint is INACTIVE; and one endpoint did not close yet; and no endpoint did sent a RST. Triggers event connection_partial_close. |
The function Conn::CancelTimers deletes all timers associated with the connection from the global timer queue. It is called from the destructor of the Conn class and in TCP_Conn::ConnectionClosed just before the last timer for the connection is activated: ConnDeleteTimer, DeleteTimer, PartialCloseTimer or ExpireTimer.
Page Contents
Quick Links
- 13 February 2020: Ask the Zeeksperts - Aashish Sharma
- 18 February 2020 - Portland OR: Zeek Days Workshops
- 27 February 2020: Ask the Zeeksperts
- 7-9 October 2020 - Austin, Texas: ZeekWeek 2020
