[Bro] TCP segment retransmission v.s. segment out-of-order
Juhoon Kim
juhoon at net.t-labs.tu-berlin.de
Mon Nov 8 11:44:25 PST 2010
Thanks Vern,
I just found out that Wireshark uses a fixed amount of time (3ms) instead of
the minimum RTT.
Do you have any idea where this number came from?
Juhoon
-----Original Message-----
From: Vern Paxson [mailto:vern at ICIR.org]
Sent: Monday, November 08, 2010 8:02 PM
To: juhoon at net.t-labs.tu-berlin.de
Cc: bro at bro-ids.org
Subject: Re: [Bro] TCP segment retransmission v.s. segment out-of-order
> Is there any good methods for distinguishing retransmissions from
> out-of-orders?
A fairly robust method involves estimating the connection's minimum RTT
and then attributing out-of-sequence packets to reordering if their
interarrival time is less than an RTT, and to retransmission otherwise.
This will fail for very large reordering intervals, but from measurement
studies those are quite rare.
For some flows, you can also inspect the IPID field (or I guess timestamps,
if present, though I don't know if anyone has tried that). If it normally
increases monotonically, then a step backward is a strong indicator of
reordering.
(Note, we're planning for the next Bro release to contain a bunch of
transport analysis, including detection of reordering and retransmission.)
Vern
More information about the Bro
mailing list