On Wed, Jul 15, 2009 at 6:09 PM, Jonathon<[email protected]> wrote: > I am writing my own IDS. I have a packet sniffer + TCP reassembler > that I've written. For each stream I detect, I have to keep some > state + a buffer of the packets for the stream. However, a problem > that I've run into is that sometimes packets could get lost (meaning I > do not capture them, but they were actually sent/received between two > hosts on the network). If I do drop the packets, my current > implementation gets all messed up since I never end up freeing the > resources I've allocated for that stream. So, lost packets seem to be > the bain of my current implementation. > > My question is (assuming all TCP streams), how can I determine whether > a packet is lost by just looking at packets that I currently have in > my buffer? > > The packets could come in any order so just because I receive a packet > with seq #N, doesn't mean that a packet with seq #N-1 was sent. > > I hope this is the appropriate mailing list for my question.
If you track the values of the Ack's in packets then you'll know when you've dropped one or more TCP segments which were received by the other end. Example: Assume server sends 3 packets with Sequence numbers of 10, 50 and 100. But you only see 10 & 100. If the client only Ack's 10, then you know it didn't see 50 either. But if it Ack's 100 then you know it saw data you missed. -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
