[Bro] using Bro as traffic analyzer.

Readon Shaw xydarcher at 163.com
Fri Dec 9 23:29:03 PST 2011

>Correct me if I am wrong Matthias.
>Bro can do most of what you are looking for out of the box. Sampling the
>round-trip time of the three-way handshake is doable at scripting level.
>You can get bro to output the retransmission data through the tcp_rexmit
>event. It does not give detailed information about how the data was
>retransmitted but will tell you how many bytes were retransmitted and how
>much data was outstanding when the retransmission occurred.
>That should be sufficient for what you are looking for.
I checked the code of tcp_rexmit event in TCP.cc. 
It seems that the event was processed with max_top_seq.
There are two issues should be considered.
1. how can i distinguish tcp_retrasmission caused by packet loss & out of order?
2. if the retransmission occurs when handshaking, would it be correctly triggered?

>If you need more detailed information, I am currently working on an
>analyzer for Bro that attempts to give more detailed information about the
>retransmission behavior of a TCP connection as part of on-going research.
>However, It is not in a state that is ready for release.
