[Bro] TCP segment retransmission v.s. segment out-of-order
Vern Paxson
vern at icir.org
Mon Nov 8 11:02:18 PST 2010
> Is there any good methods for distinguishing retransmissions from
> out-of-orders?
A fairly robust method involves estimating the connection's minimum RTT
and then attributing out-of-sequence packets to reordering if their
interarrival time is less than an RTT, and to retransmission otherwise.
This will fail for very large reordering intervals, but from measurement
studies those are quite rare.
For some flows, you can also inspect the IPID field (or I guess timestamps,
if present, though I don't know if anyone has tried that). If it normally
increases monotonically, then a step backward is a strong indicator of
reordering.
(Note, we're planning for the next Bro release to contain a bunch of
transport analysis, including detection of reordering and retransmission.)
Vern
More information about the Bro
mailing list