IP Decoder (dec_ip) parameters
Note that despite the name the IP decoder actually covers TCP, UDP and ICMP protocols as well as the IP protocol.
Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
protocol | Enum ( | N | Accept this protocol only. Usually not used as a parameter - the stack probe packet filters are usually used instead. | |
port | list of integers | N | Accept these ports only. Usually not used as a parameter - the stack probe packet filters are usually used instead. | |
passthrough | boolean | N | Pass through all IP protocols without decoding. Used for some tunneling protocols (it decodes the IP layer but nothing after that). | |
tcp_window_size | int | N | TCP buffer default window size (kbytes) | |
tcp_maximum_window_size | int | N | TCP buffer maximum window size when handshake is seen (kbytes). Adjusting this may be useful if the stack probe is in an environment with a lot of packet loss and clients using large windows. | |
tcp_on_receive | boolean | N | TRUE | Process TCP data when received. |
tcp_on_ack | boolean | N | FALSE | Process TCP data when acknowledged |
tcp_on_transmit | boolean | N | FALSE | Process TCP data when transmitted |
ip_stream_timeout | unsigned int | N | FALSE | Expire time of unused IP stream (seconds) |
udp_stream_timeout | unsigned int | N | FALSE | Expire time of unused UDP stream (seconds) |
tcp_stream_timeout | unsigned int | N | FALSE | Expire time of unused TCP stream (seconds) |
process_header_only | boolean | N | FALSE | Process OSI layer 3 / 4 headers (allows processing of truncated packets - useful when the stack probe is processing packets from an aggregation switch which has implemented a snaplength).This means that we will typically be unable to decode payload, but allows us to try and decode IP/TCP/UDP headers. |
About tcp_on_receive, tcp_on_ack and tcp_on_transmit parameters
The default decoder behaviour is:
"dec_ip": { "parameters": { "tcp_on_receive": true, "tcp_on_ack": false, "tcp_on_transmit": false } },This behaves like a TCP client would, in that it passes data on to the next layer after it's been resequenced, and the timestamps for the blocks of data passed on will reflect that (e.g. if packets come out of order, timestamps of the packets will be changed to match when the client could complete the block of data in order).
tcp_on_transmit does no resequencing and is better for handling TCP packets as regular packets. However, this does make it hard to decode anything higher up the stack. This is because any TCP retransmits, out of order packets etc. will be passed straight on to the next layer. See Worked Example: TCP Round-trip time stats in Beeks Analytics for Markets for an example of a configuration where it makes sense to have tcp_on_transmit set to true.
Setting tcp_on_ack to true is not that common. It needs a packet filter that allows it to see both sides of the TCP conversation, and passes on the data when it is ACKd by a client.
About the stream timeout parameters
Lowering the stream timeouts may be useful for very high churn environments with a lot of TCP / UDP streams created that are never closed.