[Bro] TCP segment retransmission v.s. segment out-of-order
juhoon at net.t-labs.tu-berlin.de
Wed Nov 10 02:00:14 PST 2010
> For some flows, you can also inspect the IPID field
IPID sounds very convincing. However, you said "for some flows". Is
there any flows that we cannot use IPID for this purpose?
> (or I guess timestamps
Do you mean the timestamp in the pcap header? or is there any other timestamps written from the end hosts which we can obtain from monitoring point?
> (Note, we're planning for the next Bro release to contain a bunch of
> transport analysis,
When do you expect to release next Bro?
> including detection of reordering and retransmission.)
I could see some of them in TCPStats_Endpoint and rtt.bro. Is that what you are talking about?
More information about the Bro