[Bro-Dev] $history extensions - zero windows, logarithmic counts
Vern Paxson
vern at corelight.com
Fri Jun 15 10:41:40 PDT 2018
I'm working on two enhancements to the $history tracking for connections
that thought I'd tee them up for comments.
(1) A new history element, 'W'/'w', which means that a TCP receiver
advertised a zero window, indicating that the corresponding process
was unable to keep up with the incoming data. (This element is omitted
in cases where zero windows aren't problematic: initial SYNs, and after
FINs or RSTs.)
(2) A notion of "logarithmic counts" for history events: for certain
events ('C' = checksum, 'T' = retransmission, and 'W' = zero window)
the count is repeated on the 10th/100th/1000th/etc. occurrence. So a
history value of 'ttt' means that the responder sent somewhere between
100 and 999 retransmissions. This is useful because for large
connections, a single checksum error, retransmission, or zero window
is much less significant for analyzing performance issues than a whole
bunch of these.
Comments?
Vern
More information about the bro-dev
mailing list