[Bro-Dev] [JIRA] (BIT-1255) TCP reassembly issue
Vern Paxson (JIRA)
jira at bro-tracker.atlassian.net
Fri Feb 27 23:01:03 PST 2015
[ https://bro-tracker.atlassian.net/browse/BIT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19804#comment-19804 ]
Vern Paxson commented on BIT-1255:
----------------------------------
That behavior is to not chew up tons of buffer when asymmetric routing leads to not seeing any acks. *However* I'm finding that modern traffic not infrequently is using much larger initial windows such that indeed there's routinely > 4KB of data at the beginning of a flow without any acknowledgments. I think this value needs to be cranked to at least 16KB lest a lot of routine traffic goes unanalyzed.
> TCP reassembly issue
> --------------------
>
> Key: BIT-1255
> URL: https://bro-tracker.atlassian.net/browse/BIT-1255
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master, 2.3
> Environment: CentOS 6
> Reporter: Jimmy Jones
> Attachments: out.pcap
>
>
> Been testing bro with some messy (but valid) TCP streams, using docker and netem (happy to upload a gist if people are interested).
> The attached file reassembles correctly in wireshark, but bro only gives the first 4069 bytes when extracted with the file analysis framework, and obviously the wrong hash (md5 is the URI).
--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
More information about the bro-dev
mailing list