On Wed, Apr 09, 2003 at 02:57:34PM -0600, Greg Morris wrote: > I guess if I would have > just not processed the packet then I would not have had to worry about > it in the NDPS code.
Yup. > Either way works for me. I was looking at the > desegmentation code of other dissectors when I ran into this. Not all other dissectors that do desegmentation detect retransmissions. > I didn't > really think about not passing to the subdissector if retransmitted. Is > this how the TCP dissector works? It currently doesn't do a thorough job of detecting retransmissions and passing retransmitted data only once to subdissectors. If the retransmission takes place within a reassembly, it should catch that as that'd be an overlap; however, if there's no reassembly being done, it doesn't catch retransmissions. Perhaps it should do so if TCP sequence number analysis is turned on (it shouldn't necessarily always do it - that'd require a conversation to be created for every TCP connection, and if it creates a conversation the first time it sees any segment for a connection, that'd run the risk of causing it to run out of memory if you try to read a capture of a SYN flood attack; that issue came up with tcpdump, which, by default, creates a data structure for every TCP connection so it can show relative sequence numbers, but that caused problems when trying to read SYN flood attack captures).
