I'm trying to understand packetbeat http code to monitor fcgi. I'm new in go language but the code below suggests me that streams are not separated by tcptuples just by dir. So if tcp packets are in disorder from different conversations streams got mixed right? Is this on propose just sampling and discarding anything that doesn't come order? I'm missing anything?
st := conn.Streams[dir]
if st == nil {
st = newStream(pkt, tcptuple)
conn.Streams[dir] = st
} else {
// concatenate bytes
st.data = append(st.data, pkt.Payload...)
The packetbeat/protos/tcp module keeps track of tcp connections having one context object per connection.. The conn object in http module lifes right in the TCP connection context. No crosstalking between multiple streams.
Only problem with passive network analyzers is, you might start sniffing right from "inside" an active connection. In this case you see the response, but never a request. But after this startup phase (and given we do not experience packet loss) messages should be mostly in order.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.