[Bro] TCP segment retransmission v.s. segment out-of-order

William Jones jones at tacc.utexas.edu
Mon Nov 8 09:53:11 PST 2010


 Tcptrace has code to identify retransmit verse out of order packets.  You might find that you can use the same method in bro.    

-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Juhoon Kim
Sent: Monday, November 08, 2010 10:32 AM
To: bro at bro-ids.org
Subject: [Bro] TCP segment retransmission v.s. segment out-of-order

Hi all,

I'm currently trying to find a method that identifies TCP retransmission
and out-of-order in TCP flows from the monitor's point of view.

Keeping previous sequence numbers (and cleaning them out after the
acknowledgement) in the list and seeing if the current sequence number
is already in the list or not, could be a simple approach for
identifying retransmissions.

However, in this case, we cannot detect segments which are lost before
the monitoring point. 

Thus, I think that following scenario should be considered as a
retransmission.

[A] - [B] (lost before the analyzer) - [C] - [B] (Retransmission)

So, the analyzer sees [A] - [C] - [B].

In this case, when the analyzer processes the segment B (the last
segment), the analyzer can realize that the segment is re-sent because
the sequence number of B is smaller than the latest seen segment (C).

Now, the ambiguousness is caused when we consider the out-of-order. See
the following scenario:

[A] - [C] - [B] (Delayed)

The analyzer sees the same sequence numbers in the same order as the
previous scenario shows. However, the segment B  here is not a
retransmission.

Is there any good methods for distinguishing retransmissions from
out-of-orders?

Any ideas will be very much appreciated.
Juhoon



_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list