[Bro] TCP segment retransmission v.s. segment out-of-order
vern at icir.org
Wed Nov 10 08:48:12 PST 2010
> IPID sounds very convincing. However, you said "for some flows". Is
> there any flows that we cannot use IPID for this purpose?
Right. Some OS's randomize IPID or set it to 0 (for packets sent with DF),
which renders the trick unusable.
> > (or I guess timestamps
> Do you mean the timestamp in the pcap header? or is there any other
> timestamps written from the end hosts which we can obtain from monitoring
TCP timestamps, negotiated for some connections. Again, not always doable.
Plus, the timestamp format is not standardized.
> > (Note, we're planning for the next Bro release to contain a bunch of
> > transport analysis,
> When do you expect to release next Bro?
We don't have a target date yet. It's a good ways off.
> I could see some of them in TCPStats_Endpoint and rtt.bro. Is that what
> you are talking about?
Yes. Currently just in a branch.
More information about the Bro