[Bro] using Bro as traffic analyzer.

James Swaro james.swaro at gmail.com
Sat Dec 10 00:28:23 PST 2011


>
> I checked the code of tcp_rexmit event in TCP.cc.
> It seems that the event was processed with max_top_seq.
> There are two issues should be considered.
> 1. how can i distinguish tcp_retrasmission caused by packet loss & out of
> order?
>

It would be entirely possible to make certain assumptions during
post-processing of your logs. It is possible to determine which
retransmissions are legitimately out-of-order and not actual
retransmissions, if you have some sense of the round trip time of the
connection or other methods. Perhaps Katrina or someone else could chime in
and explain this in more detail. I am curious to know as well.


> 2. if the retransmission occurs when handshaking, would it be correctly
> triggered?
>
>
The sequence number to be acknowledged remains the same during handshaking.
The event should be correctly triggered.

int seq_delta = top_seq - max_top_seq;
> if ( seq_delta <= 0 )


Consider that top_seq is always set to the sequence number in the TCP
header plus the length of the packet. Given that the syn/syn-ack packets
never carry data, you will always trigger the retransmit event upon the
second transmission of a syn/syn-ack segment with a sequence number less
than or equal to the maximum sequence number observed. It should always
trigger.

-- James Swaro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111210/950608c6/attachment.html 


More information about the Bro mailing list