At 03:51 AM 1/29/2005, Mike Mestnik wrote:
The only thing I can really do is log retransmitted pkts. Luckily I'm
only interested in TCP, so retransmitted pkts should be easy to spot. The
problem is I have seen many program to monitor TCP flows(iptraf, tcpdump,
potion) but non of them have an easy way to count duplicates.
Erm, why not just use netstat -s on the sending box (works on windows and
*nix)
Trying to track retransmitted packets from a sniffer would be slightly
tricky, as you'd have to create a live windowed database of all the
previous packets. Certainly this isn't likely to be related to a network
attack, so snort isn't going to have much in the way of facilities built in
to detect this. You might be able to hack stream4 to do this, but you'd
almost certianly have to go in and modify its code to do so.
Also, in the case of TCP retransmissions will be relatively few, due to
TCP's congestion avoidance algorithm. As soon as one packet gets dropped,
TCP should back its sending rate down to avoid future drops. Thus you
really shouldn't see more than one or two drops per socket open, and for
short sessions, 0.
---------
TCP Statistics for IPv4
Active Opens = 851
Passive Opens = 1
Failed Connection Attempts = 0
Reset Connections = 4
Current Connections = 8
Segments Received = 28023
Segments Sent = 18778
Segments Retransmitted = 39
-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
