hash5Tuple collision

54 views
Skip to first unread message

Pat Fedderman

unread,
Jun 18, 2021, 1:27:53 PM6/18/21
to PcapPlusPlus support
hash5Tuple is used to construct a key for TCPReassembly ConnectionData::flowKey.

The key is basically a 4 byte hash of 13 bytes (srcPort,destPort,srcIP,destIP,protocol).

Is there something that I'm not seeing which prevents collisions?

It's possible to detect collisions by checking to see if a duplicate flowKey exists within the  OnTcpConnectionStart callback.  But then the only way to deal with that case is to ignore all subsequent data for both of those streams, right?

Any advice?  Thanks.

PcapPlusPlus Support

unread,
Jun 23, 2021, 3:14:55 AM6/23/21
to Pat Fedderman, PcapPlusPlus support
Hi Pat,

I'm sorry for the late reply. Yes, the key is exactly what you described.
As you mention, there is currently no collision prevention, with the hope that the key is generated in a uniform distribution which should prevent collisions as much as possible.
The challenge with collision detection is that it should be done on every packet:
  1. run hash5Tuple() on the packet
  2. If it matches an existing connection, compare the params of this packet to the flow params (IP src, IP dst, port src, port dst, protocol)
    • If those match - there is no collisio
    • Otherwise there is a collision and there are different ways to handle it. One way is to keep a linked list of all the connections that have this flow key. Assuming that a collision is rare, that list should contain usually 1 element, sometimes 2
The step 2 that is mentioned above is tricky because this check that needs to be done for every packet which has a performance cost.

Another option is to increase the flow key size to 8-bytes but this will have a memory cost for all flows, although collisions only happen rarely (and will not solve the collision problem completely).

This issue was also discussed here: https://github.com/seladb/PcapPlusPlus/issues/636

Thanks,
PcapPlusPlus maintainer


--
You received this message because you are subscribed to the Google Groups "PcapPlusPlus support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pcapplusplus-sup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pcapplusplus-support/851c065b-3f02-4438-bdfe-e268c7723093n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages