Snort mailing list archives
Re: Logging retransmitted pkts.
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 31 Jan 2005 13:06:49 -0500
At 03:51 AM 1/29/2005, Mike Mestnik wrote:
The only thing I can really do is log retransmitted pkts. Luckily I'm only interested in TCP, so retransmitted pkts should be easy to spot. The problem is I have seen many program to monitor TCP flows(iptraf, tcpdump, potion) but non of them have an easy way to count duplicates.
Erm, why not just use netstat -s on the sending box (works on windows and *nix)Trying to track retransmitted packets from a sniffer would be slightly tricky, as you'd have to create a live windowed database of all the previous packets. Certainly this isn't likely to be related to a network attack, so snort isn't going to have much in the way of facilities built in to detect this. You might be able to hack stream4 to do this, but you'd almost certianly have to go in and modify its code to do so.
Also, in the case of TCP retransmissions will be relatively few, due to TCP's congestion avoidance algorithm. As soon as one packet gets dropped, TCP should back its sending rate down to avoid future drops. Thus you really shouldn't see more than one or two drops per socket open, and for short sessions, 0.
--------- TCP Statistics for IPv4 Active Opens = 851 Passive Opens = 1 Failed Connection Attempts = 0 Reset Connections = 4 Current Connections = 8 Segments Received = 28023 Segments Sent = 18778 Segments Retransmitted = 39 ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Logging retransmitted pkts. Mike Mestnik (Jan 28)
- <Possible follow-ups>
- Logging retransmitted pkts. Mike Mestnik (Jan 28)
- Logging retransmitted pkts. Mike Mestnik (Jan 29)
- Re: Logging retransmitted pkts. Matt Kettler (Jan 31)
- Re: Logging retransmitted pkts. Mike Mestnik (Jan 31)
- Re: Logging retransmitted pkts. Matt Kettler (Feb 01)
- Re: Logging retransmitted pkts. Andreas Östling (Feb 02)
- RE: Logging retransmitted pkts. Joe Patterson (Feb 02)
- Re: Logging retransmitted pkts. Matt Kettler (Jan 31)