想知道nfdump抓取分割session的方法，尤其是tcp session。
因為看到文檔說不是按照syn fin這些來進(jìn)行分割的，而是整合了相似的包們，形成一個flow。
簡單看了看源代碼。沒有仔細(xì)看，可能有錯，未來的我，別相信下面的文字！
nfcapd.c里

args的定義：

typedef struct p_packet_thread_args_s {
    // common thread info struct
    pthread_t tid;
    int done;
    int exit;

    // the parent
    pthread_t parent;

    // arguments
    NodeList_t *NodeList;  // push new nodes into this list
    pcap_dev_t *pcap_dev; 
    time_t t_win;
    int subdir_index;
    char *pcap_datadir;
    int live;
} p_packet_thread_args_t;

typedef struct p_flow_thread_args_s {
    // common thread info struct
    pthread_t tid;
    int done;
    int exit;

    // the parent
    pthread_t parent;

    // arguments
    NodeList_t *NodeList;        // pop new nodes from this list
    FlowSource_t *fs;
    time_t t_win;
    int subdir_index;
    int compress;
} p_flow_thread_args_t;

處理packet，Push_Node的位置：

__attribute__((noreturn)) static void *p_packet_thread(void *thread_data);

將packet整合為flow，Pop_Node的位置：

__attribute__((noreturn)) static void *p_flow_thread(void *thread_data) {

    t_start = 0;
    t_clock = 0;
    t_udp_flush = 0;
    while ( 1 ) {
        struct FlowNode * Node;
        Node = Pop_Node(args->NodeList, &args->done);
        if ( Node ) {
            t_clock = Node->t_last.tv_sec;
            dbg_printf("p_flow_thread() Next Node\n");
        } else {
            done = args->done;
            dbg_printf("p_flow_thread() NULL Node\n");
        }

        if ( t_start == 0 ) {
            t_udp_flush = t_start = t_clock - (t_clock % t_win);
        }
        if (((t_clock - t_start) >= t_win) || done) { /* rotate file */
            ......
            if(done)    
                break;
            t_start = t_clock - (t_clock % t_win);
        }
        if (((t_clock - t_udp_flush) >= 10) || !done) { /* flush inactive UDP list */   
            UDPexpire(fs, t_clock - 10 );  
            t_udp_flush = t_clock;
        }
    }
    while ( fs ) {   
        DisposeFile(fs->nffile);   
        fs = fs->next;
   }
}