[Bro] TCP segment retransmission v.s. segment out-of-order
juhoon at net.t-labs.tu-berlin.de
Tue Nov 9 03:48:47 PST 2010
I didn't check the source code of tcptrace yet, but it seems that
tcptrace doesn't detect retransmission as I expected. I think tcptrace
identifies a segment as a retransmission only when the same sequence
number is seen multiple times.
On Mon, 2010-11-08 at 11:53 -0600, William Jones wrote:
> Tcptrace has code to identify retransmit verse out of order packets. You might find that you can use the same method in bro.
> -----Original Message-----
> From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Juhoon Kim
> Sent: Monday, November 08, 2010 10:32 AM
> To: bro at bro-ids.org
> Subject: [Bro] TCP segment retransmission v.s. segment out-of-order
> Hi all,
> I'm currently trying to find a method that identifies TCP retransmission
> and out-of-order in TCP flows from the monitor's point of view.
> Keeping previous sequence numbers (and cleaning them out after the
> acknowledgement) in the list and seeing if the current sequence number
> is already in the list or not, could be a simple approach for
> identifying retransmissions.
> However, in this case, we cannot detect segments which are lost before
> the monitoring point.
> Thus, I think that following scenario should be considered as a
> [A] - [B] (lost before the analyzer) - [C] - [B] (Retransmission)
> So, the analyzer sees [A] - [C] - [B].
> In this case, when the analyzer processes the segment B (the last
> segment), the analyzer can realize that the segment is re-sent because
> the sequence number of B is smaller than the latest seen segment (C).
> Now, the ambiguousness is caused when we consider the out-of-order. See
> the following scenario:
> [A] - [C] - [B] (Delayed)
> The analyzer sees the same sequence numbers in the same order as the
> previous scenario shows. However, the segment B here is not a
> Is there any good methods for distinguishing retransmissions from
> Any ideas will be very much appreciated.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro