Version 10.4 and earlier Decoders are configured with a default session size of 32 MB. When a session exceeds the 32 MB limit, the Decoder splits the session and all subsequent packets become part of a new session, fragmenting the actual network session across multiple Decoder sessions. Split sessions are parsed without the context that it is a fragment of the larger network session, sometimes resulting in session fragments with source and destination addresses and ports reversed and with unidentified application protocols. Another result of split sessions can be difficulty viewing all of the session fragments as a single query result or creating a single packet export of all the session fragments.
Decoder enhancements in Security Analytics 10.5 provide improved processing of fragmented sessions:
- Contextual fragment parsing.
- Session fragments highlighting.
- Finding session fragments.
- Exporting all packets to a single PCAP.
Contextual Fragment Parsing
In Security Analytics 10.5 and later, the Decoder completes session parsing before splitting the session based on the configured maximum session size (32 MB) or the configured timeout (60 seconds). When parsing is complete, the parsed results include the proper address directionality and application protocol, which are propagated to each subsequent session fragment to ensure consistency with the logical network session they represent.
Note: All of the necessary Decoder configuration changes are be made when upgrading to 10.5. However, Find Session Fragments requires that the tcp and udp source port meta (tcp.srcport and udp.srcport) be fully indexed which was not the default configuration prior to 10.5. This functionally limits the ability to find session fragments to sessions captured after the Decoder was upgraded to 10.5.
Session Fragments Highlighting
Each session fragment has an additional meta, session.split. The value of the session.split meta for a particular session fragment indicates how many fragments precede that fragment. When viewing sessions in the Events view, the session.split meta clearly identifies sessions that are fragments in the Events List view and the Details List view.
The session split happens when the configured Decoder assembler.size.max or assembler.timeout.session (latency between sessions) is reached. The earliest fragment is session 0 and sessions with a later time stamp are incrementally numbered 1, 2, 3, and so on. The session.split meta indicates the number of preceding sessions fragments; however, it does not always indicate that there are subsequent session fragments, even with a value of 0. It is also possible for the first fragment of the session to not have session.split meta if the session is parsed before exceeding the maximum session size.
Once you view the session fragments, you can determine the maximum session size or session timeout necessary for parsing to combine the split sessions into one again. For example, if you have four fragments at 32 MB, you need to configure your test Decoder (usually a virtual machine set up separate from main production service) with a maximum session size greater than 128 MB. The steps are the same to find all fragments based on a session timeout.
Note: A maximum session size of 12 MB was configured at the time the screen captures below were created.
and the Details view:
The session.split meta is always displayed immediately following the address and port meta in the details view. It is never hidden as additional meta.
These enhancements make it possible to quickly:
- Identify sessions that are fragments of a network sessions.
- View all of the session fragments of a network session given a single session fragment.
- Export the packets for the entire network session as a single PCAP file.
From within the Events view, you can find fragments of a session using the Refocus > Find Session Fragments context menu option. Security Analytics composes a query using the source and destination addresses and ports of the selected session and displays all sessions that match that query within the current time window.
To find session fragments:
- In the Investigation > Events view, right-click any of the source and destination address and port values: ip.src, ip.dst, ipv6.src, ipv6.dst, tcp.srcport, tcp.dstport, udp.srcport, and udp.dstport) as well as session.split values.
The context menu is displayed.
- Select Refocus > Find Session Fragments or Refocus New Tab > Find Session Fragments.
Security Analytics repopulates the Events list with session fragments for a single session within the current time range. Depending on the option you selected, the refocus replaces the current view or opens in a new tab. (All data is used in these examples but is not recommended on production systems).
- If necessary, adjust the time range to include any session fragments that may precede or follow the current time window. You can tell that the time range needs to be expanded if the fragments occur near the time boundary, especially if the first visible fragment does not have a split value of 0 (or none). Alternately, inspecting the packets of the last visible session may lead you to believe that the session continues. Here is an example:
- If you are looking at fragments that are obviously not the first fragment, for example, 1, 2, 3, and 4 in time range 10:30 to 10:35, there should be a fragment 0. You can increase the time range to start earlier (for this example, 10:25) to find the additional fragment.
- If the session size of last fragment is close to maximum session size (12 MB in this example), look for additional fragments by increasing the time window to include a later time (for this example, 10:40).
When all of the session fragments of a network session are included within a single Events list, the list can span multiple pages.
- (Optional) To export the packets for every session fragment to a single PCAP file, select Actions > Export All PCAP.
A message informs you that the PCAP is being downloaded. When download is complete, PCAP file includes the entire network session that was fragmented.