TCP_PAYLOAD event trigger on multipacket payloads with unidirection L7 traffic

triggers

#1

General configuration:
event: TCP_PAYLOAD
string match
NOT per turn

Application behavior:
Unidirectional L7 data, ACKs are sent

Question: If a payload is large enough it will cross a packet boundary, when does the TCP_PAYLOAD event fire?


#2

Attaching some specifics to your example to help explain what to expect:

  • Per turn: false
  • Server matching string: foo
  • Server bytes hint: 5000

And then considering a payload stream the from server that looks like this:


[bytes before the first foo]foo[“A” chunk of bytes]foo[“B” chunk of bytes]foo[“C” chunk of bytes][TCP close]

As the EDA processes the payload stream using the parameters above, TCP_PAYLOAD will fire and have non-null Flow.server.payload when any of the following are true:

  • 5000 bytes of server payload have been seen since the most recent “foo”
  • when another “foo” is seen (possibly before 5000 bytes)
  • when the end of the flow is reached (another possibility for <5000 bytes payload)

So practically, Flow.server.payload would return in successive TCP_PAYLOAD events:

  1. up to 5000 bytes from the beginning of the “A” chunk
  2. up to 5000 bytes from the beginning of the “B” chunk
  3. up to 5000 bytes from the beginning of the “C” chunk

The matching string “foo” is not included in Flow.server.payload. Based on the rules above, you just know it preceded the returned payload.

And it’s implicit above, but to your specific question, yes, payload is gathered from across multiple segments if needed.


#3

Awesome, thanks for the detailed response @shuandavid