nweaver at ICSI.Berkeley.EDU
Mon Jul 7 08:39:11 PDT 2014
On Jul 7, 2014, at 8:34 AM, Siwek, Jon <jsiwek at illinois.edu> wrote:
>> Is it because the data has already been ACKed and therefore the reassembler is no longer keeping track of the data?
> Probably, but didn’t look close at the particular trace you gave — if it has been ACK’d, I don’t expect the reassembler to keep that data around and so can’t compare with the contents of a future overlapping segment.
Yes it has. In this case, the injector in my test is very close to the client, but the server is far away, so the ACK and FIN appear from the client before the real packet from the server.
Nicholas Weaver it is a tale, told by an idiot,
nweaver at icsi.berkeley.edu full of sound and fury,
510-666-2903 .signifying nothing
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140707/e66560b1/attachment.bin
More information about the Bro