[Bro-Dev] TCP Reassembler question
Gregor Maier
gregor at icir.org
Sun Dec 19 09:21:04 PST 2010
Hi,
I have some questions regarding the TCP resassembler. I have a midstream
NFS con
nection (i.e., no handshake) with tons of data. The NFS analyzer can
handle gaps
and partial connections, however it seems that there are some content
gaps and
that the TCP Reassembler doesn't recover from them.
* When I look at the packet level, I see data packets all the time, but
the analyzer's DeliverStreams stops being called somewhere half
through the trace.
* I don't get any calls to Undelivered() either (actually I get some,
at the very end of the trace, but the delivery stops way way earlier.
* I *don't* get content_gap and ack above hole message,
because the connections doesn't have a handshake. Can I force that
somehow? (So that I can debug where the gaps happen).
* What's the Reassemblers default / indented bevhavior wrt gaps in
partial connections? Are there any policy-level settings I can tweak?
cu
gregor
--
Gregor Maier gregor at icir.org
Int. Computer Science Institute (ICSI) gregor at icsi.berkeley.edu
1947 Center St., Ste. 600 http://www.icir.org/gregor/
Berkeley, CA 94704
USA
More information about the bro-dev
mailing list