[Bro] using Bro as traffic analyzer.
katrina at csail.mit.edu
Sat Dec 10 19:26:09 PST 2011
> It is possible to determine which retransmissions are legitimately out-of-order and not actual retransmissions, if you have some sense of the round trip time of the connection or other methods. Perhaps Katrina or someone else could chime in and explain this in more detail. I am curious to know as well.
That's the general idea. You can check retransmissions vs. out-of-order (vs. replay packets) by examining the obvious things such as IP IDs and sequence numbers, and then checking the inter-arrival time between the packet in question and the previous packet. If that IAT is less than the minimum RTT you've observed on the connection, then you're likely dealing with either a replay packet or an out-of-order packet (and that distinction can be resolved with sequence numbers and IP IDs).
It is a bit of a pain (one has to keep track of RTTs, what sequence numbers we've seen, etc.), but that's how my analyzer handles it.
More information about the Bro