[Bro-Dev] $history extensions - zero windows, logarithmic counts

Michał Purzyński michalpurzynski1 at gmail.com
Fri Jun 15 11:15:59 PDT 2018

I really like those ideas, especially the logarithmic count.

How much would it cost to have an event fired when those thresholds are crossed?

> On Jun 15, 2018, at 10:41 AM, Vern Paxson <vern at corelight.com> wrote:
> I'm working on two enhancements to the $history tracking for connections
> that thought I'd tee them up for comments.
> (1) A new history element, 'W'/'w', which means that a TCP receiver
>    advertised a zero window, indicating that the corresponding process
>    was unable to keep up with the incoming data.  (This element is omitted
>    in cases where zero windows aren't problematic: initial SYNs, and after
>    FINs or RSTs.)
> (2) A notion of "logarithmic counts" for history events: for certain
>    events ('C' = checksum, 'T' = retransmission, and 'W' = zero window)
>    the count is repeated on the 10th/100th/1000th/etc. occurrence.  So a
>    history value of 'ttt' means that the responder sent somewhere between
>    100 and 999 retransmissions.  This is useful because for large
>    connections, a single checksum error, retransmission, or zero window
>    is much less significant for analyzing performance issues than a whole
>    bunch of these.
> Comments?
>        Vern
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

More information about the bro-dev mailing list