[Bro] TCP segment retransmission v.s. segment out-of-order

Vern Paxson vern at icir.org
Mon Nov 8 12:02:57 PST 2010

> I just found out that Wireshark uses a fixed amount of time (3ms) instead of
> the minimum RTT. 
> Do you have any idea where this number came from?

I would assume they just figured it was a resonable cutoff.  Most reordering
is indeed quite short-lived, but 3ms strikes me as aggressive in this regard.
Tracking the RTT can be a headache, too, though, if the vantage point isn't
known to be near a data sender.  But it's more sound.


More information about the Bro mailing list