[Bro-Dev] TCP Reassembler question

Gregor Maier gregor at icir.org
Sun Dec 19 09:21:04 PST 2010


Hi,

I have some questions regarding the TCP resassembler. I have a midstream
NFS con
nection (i.e., no handshake) with tons of data. The NFS analyzer can
handle gaps
 and partial connections, however it seems that there are some content
gaps and
that the TCP Reassembler doesn't recover from them.

* When I look at the packet level, I see data packets all the time, but
  the analyzer's DeliverStreams stops being called somewhere half
  through the trace.

* I don't get any calls to Undelivered() either (actually I get some,
  at the very end of the trace, but the delivery stops way way earlier.

* I *don't* get content_gap and ack above hole message,
  because the connections doesn't have a handshake. Can I force that
  somehow? (So that I can debug where the gaps happen).

* What's the Reassemblers default / indented bevhavior wrt gaps in
  partial connections? Are there any policy-level settings I can tweak?


cu
gregor
-- 
Gregor Maier                                             gregor at icir.org
Int. Computer Science Institute (ICSI)          gregor at icsi.berkeley.edu
1947 Center St., Ste. 600                    http://www.icir.org/gregor/
Berkeley, CA 94704
USA


More information about the bro-dev mailing list