Connection Timers

From BroWiki

Bro associates several timers to each connection object using the timers variable. A new timer is appended to that list using the Conn::AddTimer function.

The following tables might not be complete... But it's a start;-)

Timers in class Conn

Activated when?	Script-Level Parameter	Timer-Handler	Does what?
TCP, UDP, ICMP: instantiation of a new connection object (TCP, UDP, ICMP) if there is no analyzer associated	non_analyzed_lifetime default=0 (disabled)	Conn::DeleteTimer	removes connection
UDP, ICMP: instantiation of a new connection object. TCP: as soon as the TCP handshake is complete (state transition in TCP_Endpoint)	tcp_inactivity_timeout default=0(disabled), udp_inactivity_timeout default=10s, icmp_inactivity_timeout default=10s	Conn::InactivityTimer	removes connection if it was not active since the timer was activated
?	?	Conn::StatusUpdateTimer	generates event StatusUpdate

Timers in class TCP_Conn

Activated when?	Script-Level Parameter	Timer-Handler	Does what?
Instantiation of new TCP_Conn reactivated on expire if connection is still alive (not closed) reactivated on expire if one side has closed but the other did not.	tcp_SYN_timeout (default=120s) tcp_session_timer (default=30s) tcp_session_timer	TCP_Conn::ExpireTimer	removes connection if it was inactive for tcp_connection_linger secs (default=30s) and one of the following: both endpoints did close one closed the other resetted one closed, the other was inactive all the time one did only send SYN or SYNACK, the other one was inactive and event connection_attempt has no script-level handler (fallback, in this case there is no AttemptTimer) both are inactive else reschedule with tcp_session_timer
activated when SYN is seen and event connection_attempt has script level handler defined	tcp_attempt_delay (default=300s)	TCP_Conn::AttemptTimer	removes connection if one endpoint still did only sent a SYN or SYNACK and the other did not send anything (INACT). Triggers event connection_attempt.
activated if an endpoint did already close and sends a RST. Only activated if event connection_reset has script-level handler defined	tcp_reset_delay (default=15s)	TCP_conn::ResetTimer	removes connection. Triggers event connection_reset if connection was not closed by both sides yet.
activated when both sides did close the connection	tcp_close_delay (default=15s)	TCP_Conn::ConnDeleteTimer	removes connection. (does not trigger event)
activated when both sides did close the connection and tcp_close_delay is 0 (deactivated). Activated without delay!		TCP_Conn::DeleteTimer	removes connection. (does not trigger event)
activated if the first thing an endpoint does is to close the connection (FIN) and the endpoint did not send a RST and the other endpoint did not close and the other endpoint is not INACT	tcp_partial_close_delay (default=10s)	TCP_Conn::PartialCloseTimer	removes connection if no endpoint is INACTIVE, and one endpoint did not close yet and no endpoint did sent a RST. Triggers event connection_partial_close

The function Conn::CancelTimers deletes all timers associated with the connection from the global timer queue. It is called from the destructor of the Conn class and in TCP_Conn::ConnectionClosed just before the last timer for the connection is activated: ConnDeleteTimer, DeleteTimer, PartialCloseTimer or ExpireTimer.