[Bro] Overlaps Question

Vern Paxson vern at icir.org
Thu Aug 21 20:12:22 PDT 2008

> I have a question on overlaps - TCP segment overlaps and IP fragments
> overlap - how common they are
> and how legitimate?

TCP segment overlaps are, surprisingly, quite common.  We discuss this
in a recent paper of ours:

	Efficient and Robust TCP Stream Normalization
	M. Vutukuru, H. Balakrishnan and V. Paxson
	Proc. IEEE Symposium on Security and Privacy, May 2008

Fragment overlaps definitely occur too, though the ones I've tracked down
(not many) have been due to holding fragments for a long time and the IP
ID counter rolling over (producing a new set of fragments with the same ID).
I don't know how often they occur within the fragment reassembly time window.


More information about the Bro mailing list