[Bro] TCP segment retransmission v.s. segment out-of-order

Juhoon Kim juhoon at net.t-labs.tu-berlin.de
Tue Nov 9 03:48:47 PST 2010


Hi William,

I didn't check the source code of tcptrace yet, but it seems that
tcptrace doesn't detect retransmission as I expected. I think tcptrace
identifies a segment as a retransmission only when the same sequence
number is seen multiple times.

Juhoon

On Mon, 2010-11-08 at 11:53 -0600, William Jones wrote:
> Tcptrace has code to identify retransmit verse out of order packets.  You might find that you can use the same method in bro.    
> 
> -----Original Message-----
> From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Juhoon Kim
> Sent: Monday, November 08, 2010 10:32 AM
> To: bro at bro-ids.org
> Subject: [Bro] TCP segment retransmission v.s. segment out-of-order
> 
> Hi all,
> 
> I'm currently trying to find a method that identifies TCP retransmission
> and out-of-order in TCP flows from the monitor's point of view.
> 
> Keeping previous sequence numbers (and cleaning them out after the
> acknowledgement) in the list and seeing if the current sequence number
> is already in the list or not, could be a simple approach for
> identifying retransmissions.
> 
> However, in this case, we cannot detect segments which are lost before
> the monitoring point. 
> 
> Thus, I think that following scenario should be considered as a
> retransmission.
> 
> [A] - [B] (lost before the analyzer) - [C] - [B] (Retransmission)
> 
> So, the analyzer sees [A] - [C] - [B].
> 
> In this case, when the analyzer processes the segment B (the last
> segment), the analyzer can realize that the segment is re-sent because
> the sequence number of B is smaller than the latest seen segment (C).
> 
> Now, the ambiguousness is caused when we consider the out-of-order. See
> the following scenario:
> 
> [A] - [C] - [B] (Delayed)
> 
> The analyzer sees the same sequence numbers in the same order as the
> previous scenario shows. However, the segment B  here is not a
> retransmission.
> 
> Is there any good methods for distinguishing retransmissions from
> out-of-orders?
> 
> Any ideas will be very much appreciated.
> Juhoon
> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro





More information about the Bro mailing list