Re: Adding SHA1 signature to packets?

[Alexander Dupuy <alex.dupuy () mac com>]

Andy Howell wrote:
> In my application I
> needed to detect the duplicate packets that some Cisco Cat6000 (?)
> switches send on a spanning port. I tried various hashes like SHA1,
> MD4/5, but they were too cpu intensive. I ended up using a simple
> checksum. I only look at the last 4 packets in determining if the
> received packet was a dupe.
>   

Something that I've done (although our version of duplicate suppression, 
written by a co-worker, just does header compares) is to use 
high-entropy bytes in the packet structure to quickly eliminate the 
possibility of duplicates, e.g. IP/TCP/UDP checksums, and if your 
network card/OS provide it, the FCS at the end of the packet (although 
that requires full capture).  You only need to compare if the 
high-entropy bytes are the same (which usually they are not unless there 
really is a duplicate).

> http://en.wikipedia.org/wiki/Adler-32

Interestingly, the SCTP protocol dropped Adler-32 for a conventional CRC 
(see RFC 3309) because the Adler will not give you a good distribution 
of entropy across all 32 bits for short packets.  I don't know if that's 
an issue for your application.

@alex

--
mailto:alex.dupuy () mac com

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.