[Bro] rexmit_inconsistency?

Nicholas Weaver nweaver at ICSI.Berkeley.EDU
Mon Jul 7 08:39:11 PDT 2014

On Jul 7, 2014, at 8:34 AM, Siwek, Jon <jsiwek at illinois.edu> wrote:
>> Is it because the data has already been ACKed and therefore the reassembler is no longer keeping track of the data?
> Probably, but didn’t look close at the particular trace you gave — if it has been ACK’d, I don’t expect the reassembler to keep that data around and so can’t compare with the contents of a future overlapping segment.

Yes it has.  In this case, the injector in my test is very close to the client, but the server is far away, so the ACK and FIN appear from the client before the real packet from the server.

Nicholas Weaver                  it is a tale, told by an idiot,
nweaver at icsi.berkeley.edu                full of sound and fury,
510-666-2903                                 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140707/e66560b1/attachment.bin 

More information about the Bro mailing list