[Bro] TCP segment retransmission v.s. segment out-of-order
jones at tacc.utexas.edu
Wed Nov 10 09:01:22 PST 2010
Take a look at tcptrace, http://www.tcptrace.org, it reliable detects retransmits.
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Vern Paxson
Sent: Wednesday, November 10, 2010 10:48 AM
To: juhoon at net.t-labs.tu-berlin.de
Cc: bro at bro-ids.org
Subject: Re: [Bro] TCP segment retransmission v.s. segment out-of-order
> IPID sounds very convincing. However, you said "for some flows". Is
> there any flows that we cannot use IPID for this purpose?
Right. Some OS's randomize IPID or set it to 0 (for packets sent with DF),
which renders the trick unusable.
> > (or I guess timestamps
> Do you mean the timestamp in the pcap header? or is there any other
> timestamps written from the end hosts which we can obtain from monitoring
TCP timestamps, negotiated for some connections. Again, not always doable.
Plus, the timestamp format is not standardized.
> > (Note, we're planning for the next Bro release to contain a bunch of
> > transport analysis,
> When do you expect to release next Bro?
We don't have a target date yet. It's a good ways off.
> I could see some of them in TCPStats_Endpoint and rtt.bro. Is that what
> you are talking about?
Yes. Currently just in a branch.
Bro mailing list
bro at bro-ids.org
More information about the Bro