Snort mailing list archives

Re: Logging retransmitted pkts.

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 31 Jan 2005 13:06:49 -0500

At 03:51 AM 1/29/2005, Mike Mestnik wrote:

The only thing I can really do is log retransmitted pkts.  Luckily I'm
only interested in TCP, so retransmitted pkts should be easy to spot.  The
problem is I have seen many program to monitor TCP flows(iptraf, tcpdump,
potion) but non of them have an easy way to count duplicates.


Erm, why not just use netstat -s on the sending box (works on windows and *nix)

Trying to track retransmitted packets from a sniffer would be slightlytricky, as you'd have to create a live windowed database of all theprevious packets. Certainly this isn't likely to be related to a networkattack, so snort isn't going to have much in the way of facilities built into detect this. You might be able to hack stream4 to do this, but you'dalmost certianly have to go in and modify its code to do so.

Also, in the case of TCP retransmissions will be relatively few, due toTCP's congestion avoidance algorithm. As soon as one packet gets dropped,TCP should back its sending rate down to avoid future drops. Thus youreally shouldn't see more than one or two drops per socket open, and forshort sessions, 0.



---------
TCP Statistics for IPv4

  Active Opens                        = 851
  Passive Opens                       = 1
  Failed Connection Attempts          = 0
  Reset Connections                   = 4
  Current Connections                 = 8
  Segments Received                   = 28023
  Segments Sent                       = 18778
  Segments Retransmitted              = 39




-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Logging retransmitted pkts. Mike Mestnik (Jan 28)
- <Possible follow-ups>
- Logging retransmitted pkts. Mike Mestnik (Jan 28)
- Logging retransmitted pkts. Mike Mestnik (Jan 29)
  - Re: Logging retransmitted pkts. Matt Kettler (Jan 31)
    - Re: Logging retransmitted pkts. Mike Mestnik (Jan 31)
    - Re: Logging retransmitted pkts. Matt Kettler (Feb 01)
    - Re: Logging retransmitted pkts. Andreas Östling (Feb 02)
    - RE: Logging retransmitted pkts. Joe Patterson (Feb 02)