[Bro] TCP segment retransmission v.s. segment out-of-order

William Jones jones at tacc.utexas.edu
Wed Nov 10 09:01:22 PST 2010

Take a look at tcptrace, http://www.tcptrace.org,  it reliable detects retransmits.

Bill Jones 

-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Vern Paxson
Sent: Wednesday, November 10, 2010 10:48 AM
To: juhoon at net.t-labs.tu-berlin.de
Cc: bro at bro-ids.org
Subject: Re: [Bro] TCP segment retransmission v.s. segment out-of-order

> IPID sounds very convincing. However, you said "for some flows". Is
> there any flows that we cannot use IPID for this purpose?

Right.  Some OS's randomize IPID or set it to 0 (for packets sent with DF),
which renders the trick unusable.

> > (or I guess timestamps
> Do you mean the timestamp in the pcap header? or is there any other
> timestamps written from the end hosts which we can obtain from monitoring
> point?

TCP timestamps, negotiated for some connections.  Again, not always doable.
Plus, the timestamp format is not standardized.

> > (Note, we're planning for the next Bro release to contain a bunch of
> > transport analysis,
> When do you expect to release next Bro? 

We don't have a target date yet.  It's a good ways off.

> I could see some of them in TCPStats_Endpoint and rtt.bro. Is that what
> you are talking about?

Yes.  Currently just in a branch.

Bro mailing list
bro at bro-ids.org

More information about the Bro mailing list