<div dir="ltr">On Fri, Jun 15, 2018 at 9:54 PM, Vern Paxson <span dir="ltr"><<a href="mailto:vern@corelight.com" target="_blank">vern@corelight.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">> it unclear on the logarithmic<br>
> counts. Take, for instance SaDtTtT. If I'm reading this correctly, I think<br>
> that means 10-99 retransmissions from orig, followed by 10-99 from resp,<br>
> then more retransmissions from orig (enough to reach a total of 100-999),<br>
> and similarly more from resp.<br>
<br>
</span>Correct in principle. (1) These would be 1-9 followed by enough to<br>
get to 10-99, since a single retransmission is already a 't' / 'T', and<br>
(2) lower letters are responders rther than originators.<span class=""><br></span></blockquote><div><br></div><div>Ah, right. Thanks for clearing that up.<br></div><div> <span class=""></span><br><span class=""></span></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
> Maybe we add the<br>
> new letters, but don't repeat them and also add new fields for exact<br>
> bytecounts?<br>
<br>
</span>I'm not following this. If we add new letters that don't repeat *and* we<br>
add new fields, why do we need the letters given that the fields are there?<span class="HOEnZb"><font color="#888888"><br></font></span></blockquote><div><br></div><div>My thought for this was simply if it mattered *where* in the state history the trouble occurred. For instance, if I'm seeing retransmissions at the very end of a connection, that might indicate that one side abruptly terminated the connection (I'd see this with things like fail2ban inserting an iptables rule to block a brute-forcer). Similarly, if I see a zero window at the start of a connection, that would tell me that the buffer was full due to another connection or connections, as opposed to filling up due the connection I'm looking at.<br><br></div><div>I'm having a tough time thinking up additional use-cases without having some sample data, so perhaps the best course is to add what you proposed, and then revisit it if we feel like anything's missing.<br><br></div><div> --Vlad<br></div></div><br></div></div>