[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    Re: [Bro] using Bro as traffic analyzer.
From:       Katrina LaCurts <katrina () csail ! mit ! edu>
Date:       2011-12-11 3:26:09
Message-ID: 9442AC64-0904-4E91-B45D-B74C7CD2933E () csail ! mit ! edu
[Download RAW message or body]

> It is possible to determine which retransmissions are legitimately out-of-order and \
> not actual retransmissions, if you have some sense of the round trip time of the \
> connection or other methods. Perhaps Katrina or someone else could chime in and \
> explain this in more detail. I am curious to know as well.

That's the general idea.  You can check retransmissions vs. out-of-order (vs. replay \
packets) by examining the obvious things such as IP IDs and sequence numbers, and \
then checking the inter-arrival time between the packet in question and the previous \
packet.  If that IAT is less than the minimum RTT you've observed on the connection, \
then you're likely dealing with either a replay packet or an out-of-order packet (and \
that distinction can be resolved with sequence numbers and IP IDs).

It is a bit of a pain (one has to keep track of RTTs, what sequence numbers we've \
seen, etc.), but that's how my analyzer handles it.

Katrina


[prev in list] [next in list] [prev in thread] [next in thread]