The stream inspectors
As we saw, the protocols – IP, UDP, ICMP, and TCP – have complicated scenarios that need to be handled precisely to ensure accurate analysis, avoid false positives, and evasion attempts. The inspectors maintain the necessary connection management, accurate state tracking, fragmentation reassembly, and stream reassembly so that the rest of the analysis (layer 5 and above) can be performed accurately.
Let us look closer at each inspector and see the important functions that they perform. We will start with the stream_ip inspector.
stream_ip
The stream_ip inspector does session tracking for IP flows. In addition, this inspector analyzes fragmented IP datagrams and does the IP fragmentation reassembly operation.
Although IP is a stateless protocol, from a session tracking point of view, there is a set of states that are assigned to the IP flow. Upon seeing traffic for a particular IP flow in one direction, the SSNFLAG_SEEN_CLIENT flag is...
