Skip to content

TCP

TCP (Transmission Control Protocol) is a core protocol that ensures reliable, ordered, and error-checked delivery of data between applications. In nzyme, many monitored protocols, such as SSH or TLS sit on top of TCP. Nzyme captures and analyzes these higher-level protocols while always maintaining visibility into the underlying TCP session, ensuring that the context and integrity of the entire communication flow are preserved during monitoring and analysis.

Fully encrypted or unsupported protocols that use TCP will still be visible in nzyme as a TCP session. Treat TCP as a lower level view into your network traffic, independent of the protocol it transports.

In the nzyme web interface, TCP is logically grouped with UDP and called L4/Layer 4.

Session Reassembly

Nzyme reassembles and tracks TCP sessions, independent of segment order.

Session Tagging

Nzyme applies tags to TCP sessions, depending on what content nzyme believes is in the TCP session. For example, it might tag a session as SSH or HTTP.

Configuration

nzyme-tap

The most important TCP configuration takes place in your nzyme tap configuration files:

[protocols.tcp]
pipeline_size = 16384
reassembly_buffer_size = 1048576
session_timeout_seconds = 43200
Variable Description
pipeline_size The tap process moves data internally using in-memory pipelines. You may have to increase this value if you experience high throughput of TCP segments.
reassembly_buffer_size The maximum number of TCP segments a session can hold. This is important to avoid memory exhaustion attacks that create extremely long-lived and large TCP sessions.
session_timeout_seconds The tap will mark a TCP session as closed after this time has passed without a new segment or without a RST/FIN connection teardown recorded.

nzyme-node

There is an additional, optional variable in your nzyme node configuration file:

protocols: {
    tcp: {
      session_timeout_seconds: 43200
    }
}
Variable Description
session_timeout_seconds This variable has the same function as the session_timeout_seconds variable in your nzyme tap configuration, but accounts for a case where the tap is not running and the node needs to mark the connection as closed.