Take a look at tcptrace, http://www.tcptrace.org
, it reliable detects retransmits.
From: bro-bounces(a)bro-ids.org [mailto:email@example.com] On Behalf Of Vern Paxson
Sent: Wednesday, November 10, 2010 10:48 AM
Subject: Re: [Bro] TCP segment retransmission v.s. segment out-of-order
IPID sounds very convincing. However, you said
"for some flows". Is
there any flows that we cannot use IPID for this purpose?
Right. Some OS's randomize IPID or set it to 0 (for packets sent with DF),
which renders the trick unusable.
(or I guess
Do you mean the timestamp in the pcap header? or is there any other
timestamps written from the end hosts which we can obtain from monitoring
TCP timestamps, negotiated for some connections. Again, not always doable.
Plus, the timestamp format is not standardized.
we're planning for the next Bro release to contain a bunch of
When do you expect to release next Bro?
We don't have a target date yet. It's a good ways off.
I could see some of them in TCPStats_Endpoint and
rtt.bro. Is that what
you are talking about?
Yes. Currently just in a branch.
Bro mailing list