Implemented mechanism to avoid collected flows to expire too early

in case the original flow date was back in time (e.g. when reproduced from an old pcap file, or if the flow sender has invalid date/time set)
ntop · Aug 22, 2024 · 7dc61bf · 7dc61bf
1 parent f1b2ad7
commit 7dc61bf
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 6 deletions.
diff --git a/include/Flow.h b/include/Flow.h
@@ -37,7 +37,8 @@ class FlowCheck;
 
 class Flow : public GenericHashEntry {
  private:
-  int32_t iface_index; /* Interface index on which this flow has been first observed */
+  time_t creation_time; /*** Epoch of the flow creation */
+  int32_t iface_index;  /* Interface index on which this flow has been first observed */
   Host *cli_host, *srv_host;
   IpAddress *cli_ip_addr, *srv_ip_addr;
   /* IPv4 only, so a int32 bit is only needed */
@@ -373,6 +374,7 @@ class Flow : public GenericHashEntry {
        time_t _last_seen, u_int8_t *_view_cli_mac, u_int8_t *_view_srv_mac);
   ~Flow();
 
+  virtual bool is_active_entry_now_idle(u_int max_idleness) const;
   inline Bitmap128 getAlertsBitmap() const { return (alerts_map); }
 
   /* Enqueues an alert to all available flow recipients. */

diff --git a/src/Flow.cpp b/src/Flow.cpp
@@ -47,7 +47,8 @@ Flow::Flow(NetworkInterface *_iface,
   : GenericHashEntry(_iface) {
   if(trace_new_delete) ntop->getTrace()->traceEvent(TRACE_NORMAL, "[new] %s", __FILE__);
 
-  iface_index = _iface_idx,
+  creation_time = iface->getTimeLastPktRcvd(),
+    iface_index = _iface_idx,
     vlanId = _vlanId, protocol = _protocol, cli_port = _cli_port,
     srv_port = _srv_port, privateFlowId = _private_flow_id;
   flow_dropped_counts_increased = 0, vrfId = 0, protocolErrorCode = 0;
@@ -8801,3 +8802,18 @@ void Flow::accountFlowTraffic() {
 			get_bytes(), get_packets());
   }
 }
+
+/* *************************************** */
+
+bool Flow::is_active_entry_now_idle(u_int max_idleness) const {  
+  bool is_expired = (((u_int)(iface->getTimeLastPktRcvd()) > (creation_time + max_idleness)) ? true : false);
+
+  /*
+    This mechanism prevents collected flows with past timestamps
+    to be purged immediately, thus guaranteeing that they stay in
+    memory at least max_idleness seconds
+  */
+  if(!is_expired) return(false);
+
+  return(GenericHashEntry::is_active_entry_now_idle(max_idleness));
+}
diff --git a/src/GenericHashEntry.cpp b/src/GenericHashEntry.cpp
@@ -85,10 +85,7 @@ void GenericHashEntry::periodic_stats_update(const struct timeval *tv) {
 /* ***************************************** */
 
 bool GenericHashEntry::is_active_entry_now_idle(u_int max_idleness) const {
-  bool ret =
-      (((u_int)(iface->getTimeLastPktRcvd()) > (last_seen + max_idleness))
-           ? true
-           : false);
+  bool ret = (((u_int)(iface->getTimeLastPktRcvd()) > (last_seen + max_idleness)) ? true : false);
 
 #if 0
   ntop->getTrace()->traceEvent(TRACE_NORMAL, "%s() [lastPkt: %u][last_seen: %u][max_idleness: %u][idle: %s]",