[Bro-Dev] $history extensions - zero windows, logarithmic counts
Johanna Amann
johanna at icir.org
Fri Jun 15 11:42:54 PDT 2018
I think I like these, the only small concern I have is...
> (2) A notion of "logarithmic counts" for history events: for certain
> events ('C' = checksum, 'T' = retransmission, and 'W' = zero window)
> the count is repeated on the 10th/100th/1000th/etc. occurrence. So a
> history value of 'ttt' means that the responder sent somewhere between
> 100 and 999 retransmissions. This is useful because for large
> connections, a single checksum error, retransmission, or zero window
> is much less significant for analyzing performance issues than a whole
> bunch of these.
Here we will not have cases where some repetitions are logarithmic, and
some (like for R) are not. I guess that makes sense, but I can see it
potentially being confusing.
Johanna
More information about the bro-dev
mailing list