This document was created to assist in understanding how a flow is identified, indexed, and tracked. The method for both TCP and UDP is the same but the result is different due to the way that TCP and UDP differ in state versus stateless communications. A flow is considered expired when either the TCP session is gracefully torn down by the 2 end points or is RST. In cases where the session simply remains open but no new packets are seen for the flow, a default 60-second timer expires the flow from the state machine. Should new packets come in for that previous session past the 60-second timer, they are treated like a new flow. UDP works in similar fashion except with UDP there isn't a graceful setup or tear down of communication. Packets simply arrive and stop in the course of UDP communication. A UDP flow consists of a unique 5-tuple: IP protocol, src IP, dest IP, src port, dst port bound by a time out. For new UDP packets entering the system without a corresponding flow entry, the first packet in the new flow along with the 5-tuple are used to determine the UDP initiator, responder, and a unique flow hashkey is created. Just like TCP, all UDP packets are checked to see if they match an existing flow in the system and if not a new flow is created. Unlike the default 60-second timer for TCP, the UDP time out expiration is set to 5 seconds. |