[Bro] TCP segment retransmission v.s. segment out-of-order

Juhoon Kim juhoon at net.t-labs.tu-berlin.de
Mon Nov 8 08:31:57 PST 2010

Hi all,

I'm currently trying to find a method that identifies TCP retransmission
and out-of-order in TCP flows from the monitor's point of view.

Keeping previous sequence numbers (and cleaning them out after the
acknowledgement) in the list and seeing if the current sequence number
is already in the list or not, could be a simple approach for
identifying retransmissions.

However, in this case, we cannot detect segments which are lost before
the monitoring point. 

Thus, I think that following scenario should be considered as a

[A] - [B] (lost before the analyzer) - [C] - [B] (Retransmission)

So, the analyzer sees [A] - [C] - [B].

In this case, when the analyzer processes the segment B (the last
segment), the analyzer can realize that the segment is re-sent because
the sequence number of B is smaller than the latest seen segment (C).

Now, the ambiguousness is caused when we consider the out-of-order. See
the following scenario:

[A] - [C] - [B] (Delayed)

The analyzer sees the same sequence numbers in the same order as the
previous scenario shows. However, the segment B  here is not a

Is there any good methods for distinguishing retransmissions from

Any ideas will be very much appreciated.

More information about the Bro mailing list