[Bro-Dev] TCP RTT estimation
Katrina LaCurts
katrina at csail.mit.edu
Wed Dec 1 12:15:14 PST 2010
Juhoon, this is one of the reasons why I recommended the handshake_sum_estimate event in my branch. It essentially does what you want to do, but just on TCP handshakes. That's because with the handshake we can easily figure out what segment (b) is (it's the ACK to the SYN-ACK). As Vern pointed out, determining (b) is tough in general.
Katrina
On Dec 1, 2010, at 1:31 PM, Vern Paxson wrote:
>> [Sender] [Monitor]-------------(a)------>[Receiver]
>> [Sender]<-------[Monitor]<--------ack-of-(a)----[Receiver]
>> [Sender]--(b)-->[Monitor]
>>
>> I thought that the acknowledgement number of the second component
>> (ack-of-a) is always the same with the sequence number of the next
>> segment (b). That is how I wanted to identify the segment (b).
>
> No, instead seq-of-b will be seq-of-a's-ack *plus* the congestion window.
> This is where it gets hard.
>
> Vern
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
More information about the bro-dev
mailing list