[Bro-Dev] $history extensions - zero windows, logarithmic counts
michalpurzynski1 at gmail.com
Fri Jun 15 11:15:59 PDT 2018
I really like those ideas, especially the logarithmic count.
How much would it cost to have an event fired when those thresholds are crossed?
> On Jun 15, 2018, at 10:41 AM, Vern Paxson <vern at corelight.com> wrote:
> I'm working on two enhancements to the $history tracking for connections
> that thought I'd tee them up for comments.
> (1) A new history element, 'W'/'w', which means that a TCP receiver
> advertised a zero window, indicating that the corresponding process
> was unable to keep up with the incoming data. (This element is omitted
> in cases where zero windows aren't problematic: initial SYNs, and after
> FINs or RSTs.)
> (2) A notion of "logarithmic counts" for history events: for certain
> events ('C' = checksum, 'T' = retransmission, and 'W' = zero window)
> the count is repeated on the 10th/100th/1000th/etc. occurrence. So a
> history value of 'ttt' means that the responder sent somewhere between
> 100 and 999 retransmissions. This is useful because for large
> connections, a single checksum error, retransmission, or zero window
> is much less significant for analyzing performance issues than a whole
> bunch of these.
> bro-dev mailing list
> bro-dev at bro.org
More information about the bro-dev