[Bro] Bug (?) in TCP_Contents
vern at icir.org
Wed Oct 6 21:22:52 PDT 2004
> When Bro sees an ACK for a packet before the packet
> itself (packet reordering), it considers that it already
> delivered the packet to the upper protocols, because
> it's acked. (see TCP_Contents.cc, line 272).
> I was wondering whether this is the intended behavior
> or it's a bug.
Note, that's *not* packet reordering in the sense of a network phenomenon.
Causality requires that acknowledgments come *after* the packets they
So it's intended behavior. It only becomes a problem in traces for which
causality is broken. Unfortunately, this can happen due to reading from
multiple NICs which have large buffers. If this is a problem in your
environment, you can use packet_sort_window to sort the packets based
on timestamps (assuming your NICs timestamp them correctly - if not,
then all is lost ...).
More information about the Bro