connection_status_update for inactive flows

Hi,

Does the event connection_status_update fire periodically for inactive
flows that haven't timed out yet, or just for flows that were active
since the last connection_status_update event?

The former, activity doesn't matter.

Robin

Thanks!

One more question: What's the best way for a script to handle
connection_status_update_interval? Would it offend site administrators
or other script authors for my script to redef it to a value that works
for that script? Should I just add a comment saying something like "Site
administrators should redef connection_status_update_interval to an
appropriate value, given these considerations about what values are
appropriate?"

I would approach the problem differently, I *really* don't like the connection_status_update event because of the global change as you've noticed. Are you familiar with scheduled events?

You could implement your script like this…

module MyModule;

export {
  ## The period of delay for all established connections
  ## before rechecking them for whatever I'm checking them for.
  const checkup_interval = 5sec;
}

event MyModule::regular_check(c: connection)
  {
  # Do your check you would have previously done in connection_status_update
  print c$uid;

  # Reschedule this event.
  schedule checkup_interval { MyModule::regular_check(c) };
  }

event connection_established(c: connection)
  {
  # Schedule the event that does the check.
  schedule checkup_interval { MyModule::regular_check(c) };
  }

Does that work for what you're trying to do?

  .Seth

You could implement your script like this…

module MyModule;

export {
  ## The period of delay for all established connections
  ## before rechecking them for whatever I'm checking them for.
  const checkup_interval = 5sec;
}

event MyModule::regular_check(c: connection)
  {
  # Do your check you would have previously done in connection_status_update
  print c$uid;

  # Reschedule this event.
  schedule checkup_interval { MyModule::regular_check(c) };
  }

event connection_established(c: connection)
  {
  # Schedule the event that does the check.
  schedule checkup_interval { MyModule::regular_check(c) };
  }

There's also a general form of connection polling provided by ConnPolling::watch() in scripts/base/protocols/conn/polling.bro, which allows the "checkup" interval to vary between connections and/or over time.

scripts/base/protocols/ftp/gridftp.bro has an example usage.

    Jon

I would approach the problem differently, I *really* don't like the connection_status_update event because of the global change as you've noticed. Are you familiar with scheduled events?

You could implement your script like this…

[..]

Does that work for what you're trying to do?

With a bit of modification, I think so. Would the connection object be
updated with new data (duration, sizes, etc.) each time
MyModule::regular_check is called?

Yes. The same goes for the approach Jon mentioned. I forgot that he had abstracted that notion even further. :slight_smile:

You're much less likely to step on someone's toes by making a script work this way at least and internally it's basically doing the same thing but you get more script-land flexibility with the approaches Jon and I mentioned.

  .Seth

With a bit of modification, I think so. Would the connection object be
updated with new data (duration, sizes, etc.) each time
MyModule::regular_check is called?

I don't think they are necessarily. E.g. if no other events are raised internally for the connection between the time the event is scheduled and the time when the event handler body actually executes, the connection record fields may not be updated.

One way to guarantee/force updated values is to check if the connection is still around with `connection_exists(c$id)` and then call `lookup_connection(c$id)` if it is. `ConnPolling::watch()` automates that.

    Jon