[Bro] TCP PUSH flag
nicolas.retrain at cea.fr
nicolas.retrain at cea.fr
Thu May 16 02:28:41 PDT 2013
hi,
I am still investigating on the SOCKS bug. In addition to the byte
version problem, I noticed that only data from client are displayed by
DeliverStream, strange. So I take a look to my use case trace, and it
appears that the tcp connection uses the PUSH flag. How does BRO deal
with PUSH flag? Could the problem come from this?
Here is the tcp flow of my test case :
(Client)
|Time | 192.168.0.2 (Socks server) |
| | | 192.168.0.1 |
|0.000000 | SYN | |Seq = 0
| |(55951) ------------------> (1080) |
|0.000063 | SYN, ACK | |Seq = 0 Ack = 1
| |(55951) <------------------ (1080) |
|0.000923 | ACK | |Seq = 1
Ack = 1
| |(55951) ------------------> (1080) |
|0.069237 | PSH, ACK - Len: 5 |Seq = 1 Ack = 1
| |(55951) ------------------> (1080) |
|0.069282 | ACK | |Seq = 1
Ack = 6
| |(55951) <------------------ (1080) |
|0.212734 | PSH, ACK - Len: 2 |Seq = 1 Ack = 6
| |(55951) <------------------ (1080) |
|0.213192 | ACK | |Seq = 6
Ack = 3
| |(55951) ------------------> (1080) |
|0.213561 | PSH, ACK - Len: 11 |Seq = 6 Ack = 3
| |(55951) ------------------> (1080) |
|0.213583 | ACK | |Seq = 3
Ack = 17
| |(55951) <------------------ (1080) |
|0.216805 | PSH, ACK - Len: 2 |Seq = 3 Ack = 17
| |(55951) <------------------ (1080) |
|0.217095 | PSH, ACK - Len: 10 |Seq = 17 Ack = 5
| |(55951) ------------------> (1080) |
|0.222837 | PSH, ACK - Len: 10 |Seq = 5 Ack = 27
| |(55951) <------------------ (1080) |
Nicolas
More information about the Bro
mailing list