[Zeek-Dev] Dealing with directional out-of-order packet?
Song
oldpopsong at qq.com
Mon Jun 24 18:33:13 PDT 2019
The directional out-of-order maybe caused by some network tapping
devices and/or some mirroring polices of the switches. In wireshark, it
will often appear as pairs of packets of different directions labeled as
"TCP ACKed unseen segment" and "TCP Spurious Retransmission".
It will make many Binpac analyzers unable to work normally because
in most cases the current state of one direction depends on the packets
of the opposite direction.
In theory if we know the number of the bytes we have missed from
the other direction, we could make a good guess if we should use
another state to decode current packet.
So my question is: is this other-side gap information available in
Binpac?
Thanks in advance and best regards,
Song
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/zeek-dev/attachments/20190625/47941977/attachment.html
More information about the zeek-dev
mailing list