I'm working on two enhancements to the $history tracking for connections
that thought I'd tee them up for comments.
(1) A new history element, 'W'/'w', which means that a TCP receiver
advertised a zero window, indicating that the corresponding process
was unable to keep up with the incoming data. (This element is omitted
in cases where zero windows aren't problematic: initial SYNs, and after
FINs or RSTs.)
(2) A notion of "logarithmic counts" for history events: for certain
events ('C' = checksum, 'T' = retransmission, and 'W' = zero window)
the count is repeated on the 10th/100th/1000th/etc. occurrence. So a
history value of 'ttt' means that the responder sent somewhere between
100 and 999 retransmissions. This is useful because for large
connections, a single checksum error, retransmission, or zero window
is much less significant for analyzing performance issues than a whole
bunch of these.
Comments?
Vern
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
