[
https://bro-tracker.atlassian.net/browse/BIT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19804#comment-19804
]
Vern Paxson commented on BIT-1255:
----------------------------------
That behavior is to not chew up tons of buffer when asymmetric routing leads to
not seeing any acks. *However* I'm finding that modern traffic not
infrequently is using much larger initial windows such that indeed there's
routinely > 4KB of data at the beginning of a flow without any acknowledgments.
I think this value needs to be cranked to at least 16KB lest a lot of routine
traffic goes unanalyzed.
> TCP reassembly issue
> --------------------
>
> Key: BIT-1255
> URL: https://bro-tracker.atlassian.net/browse/BIT-1255
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master, 2.3
> Environment: CentOS 6
> Reporter: Jimmy Jones
> Attachments: out.pcap
>
>
> Been testing bro with some messy (but valid) TCP streams, using docker and
> netem (happy to upload a gist if people are interested).
> The attached file reassembles correctly in wireshark, but bro only gives the
> first 4069 bytes when extracted with the file analysis framework, and
> obviously the wrong hash (md5 is the URI).
--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
