[Bro] TCP segment retransmission v.s. segment out-of-order
vern at icir.org
Mon Nov 8 12:02:57 PST 2010
> I just found out that Wireshark uses a fixed amount of time (3ms) instead of
> the minimum RTT.
> Do you have any idea where this number came from?
I would assume they just figured it was a resonable cutoff. Most reordering
is indeed quite short-lived, but 3ms strikes me as aggressive in this regard.
Tracking the RTT can be a headache, too, though, if the vantage point isn't
known to be near a data sender. But it's more sound.
More information about the Bro