Re: Logging retransmitted pkts.

[Mike Mestnik <cheako911 () yahoo com>]

--- Matt Kettler <mkettler () evi-inc com> wrote:

> At 03:51 AM 1/29/2005, Mike Mestnik wrote:
> > The only thing I can really do is log retransmitted pkts.  Luckily I'm
> > only interested in TCP, so retransmitted pkts should be easy to spot. 
> The
> > problem is I have seen many program to monitor TCP flows(iptraf,
> tcpdump,
> > potion) but non of them have an easy way to count duplicates.
>
> Erm, why not just use netstat -s on the sending box (works on windows
> and *nix)
Done, this is just a hack IMHO.  The big problem is it done not, and has
no way to, count bytes or bytes/second.

> Trying to track retransmitted packets from a sniffer would be slightly 
> tricky, as you'd have to create a live windowed database of all the 
> previous packets. Certainly this isn't likely to be related to a network
I see this as being one more field in the connection tble for the current
end of the window.  If we see data less then this number it's old data
being sent again.

> attack, so snort isn't going to have much in the way of facilities built
> in 
> to detect this. You might be able to hack stream4 to do this, but you'd 
> almost certianly have to go in and modify its code to do so.
>
> Also, in the case of TCP retransmissions will be relatively few, due to 
> TCP's congestion avoidance algorithm. As soon as one packet gets
> dropped, 
> TCP should back its sending rate down to avoid future drops. Thus you 
> really shouldn't see more than one or two drops per socket open, and for
http://train.is-a-geek.org/mrtg/retransmited.html
I think, for my network, this is not true.  The problem is if there are
more then 3 or 4(I.E. n) connections, the rate of slow start is (RATE *
n).  This leads to more then half the connections getting the 3 droped
pkts nessisary to half the connection speed.  Then slow start rate is
(RATE * n / 2) for about 3 or 4 seconds.  After this the rest of the
connections follow suit and drop to half and some of the others goto 1/4
of there would be bandwith alotment.

The end result is the total used BW is about 1/3 of total avalible.

> short sessions, 0.
>
>
> ---------
> TCP Statistics for IPv4
>
>    Active Opens                        = 851
>    Passive Opens                       = 1
>    Failed Connection Attempts          = 0
>    Reset Connections                   = 4
>    Current Connections                 = 8
>    Segments Received                   = 28023
>    Segments Sent                       = 18778
>    Segments Retransmitted              = 39



                
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users