IDS mailing list archives
Re: Making my own IDS... how to detect packet loss ?
From: Paul Palmer <paul_palmer () us ibm com>
Date: Thu, 16 Jul 2009 13:50:53 -0400
The short answer is that you correlate the SEQ# from one side of the connection with the ACK# you see on the other side of the connection. If you are seeing SEQ# from after the lost data and the other host is acknowledging receipt past the lost data, it is highly unlikely that you will ever see the lost data come across the wire. Paul From: Jonathon <thejunkjon () gmail com> To: focus-ids () securityfocus com Date: 07/16/2009 12:58 PM Subject: Making my own IDS... how to detect packet loss ? I am writing my own IDS. I have a packet sniffer + TCP reassembler that I've written. For each stream I detect, I have to keep some state + a buffer of the packets for the stream. However, a problem that I've run into is that sometimes packets could get lost (meaning I do not capture them, but they were actually sent/received between two hosts on the network). If I do drop the packets, my current implementation gets all messed up since I never end up freeing the resources I've allocated for that stream. So, lost packets seem to be the bain of my current implementation. My question is (assuming all TCP streams), how can I determine whether a packet is lost by just looking at packets that I currently have in my buffer? The packets could come in any order so just because I receive a packet with seq #N, doesn't mean that a packet with seq #N-1 was sent. I hope this is the appropriate mailing list for my question. Thanks J ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194 ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Current thread:
- Making my own IDS... how to detect packet loss ? Jonathon (Jul 16)
- Re: Making my own IDS... how to detect packet loss ? Aaron Turner (Jul 16)
- Re: Making my own IDS... how to detect packet loss ? Jonathon (Jul 16)
- RE: Making my own IDS... how to detect packet loss ? Francis, Shannon (Jul 16)
- Re: Making my own IDS... how to detect packet loss ? Martin Roesch (Jul 16)
- Re: Making my own IDS... how to detect packet loss ? Jonathon (Jul 16)
- Re: Making my own IDS... how to detect packet loss ? Aaron Turner (Jul 16)
- Re: Making my own IDS... how to detect packet loss ? Paul Palmer (Jul 16)