[Bro] TCP segment retransmission v.s. segment out-of-order
juhoon at net.t-labs.tu-berlin.de
Mon Nov 8 08:31:57 PST 2010
I'm currently trying to find a method that identifies TCP retransmission
and out-of-order in TCP flows from the monitor's point of view.
Keeping previous sequence numbers (and cleaning them out after the
acknowledgement) in the list and seeing if the current sequence number
is already in the list or not, could be a simple approach for
However, in this case, we cannot detect segments which are lost before
the monitoring point.
Thus, I think that following scenario should be considered as a
[A] - [B] (lost before the analyzer) - [C] - [B] (Retransmission)
So, the analyzer sees [A] - [C] - [B].
In this case, when the analyzer processes the segment B (the last
segment), the analyzer can realize that the segment is re-sent because
the sequence number of B is smaller than the latest seen segment (C).
Now, the ambiguousness is caused when we consider the out-of-order. See
the following scenario:
[A] - [C] - [B] (Delayed)
The analyzer sees the same sequence numbers in the same order as the
previous scenario shows. However, the segment B here is not a
Is there any good methods for distinguishing retransmissions from
Any ideas will be very much appreciated.
More information about the Bro