Flagging retransmissions in connection history.

This adds a t/T letter for the first TCP payload retransmission from originator or responder, respectively. Addresses BIT-977.
2025-10-09 18:18:19 +00:00 · 2016-07-06 13:46:06 -07:00 · 2016-07-06 13:46:06 -07:00 · 394b16e1f2
commit 394b16e1f2
parent 1d7bca21e4
9 changed files with 83 additions and 24 deletions
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@ -424,7 +424,7 @@ void TCP_Analyzer::SetReassembler(TCP_Reassembler* rorig,
 	reassembling = 1;
 	}

-const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data, 
+const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data,
 							int& len, int& caplen)
 	{
 	const struct tcphdr* tp = (const struct tcphdr*) data;
@ -1165,7 +1165,7 @@ static void update_ack_seq(TCP_Endpoint* endpoint, uint32 ack_seq)
 // Returns the difference between last_seq and the last sequence
 // seen by the endpoint (may be negative).
 static int32 update_last_seq(TCP_Endpoint* endpoint, uint32 last_seq,
-                             TCP_Flags flags)
+                             TCP_Flags flags, int len)
 	{
 	int32 delta_last = seq_delta(last_seq, endpoint->LastSeq());

@ -1194,9 +1194,8 @@ static int32 update_last_seq(TCP_Endpoint* endpoint, uint32 last_seq,
 		// ## endpoint->last_seq = last_seq;
 		endpoint->UpdateLastSeq(last_seq);

-	else if ( delta_last <= 0 )
-		{ // ### ++retransmit, unless this is a pure ack
-		}
+	else if ( delta_last < 0 && len > 0 )
+		endpoint->CheckHistory(HIST_RXMIT, 'T');

 	return delta_last;
 	}
@ -1334,7 +1333,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 		peer->AckReceived(rel_ack);
 		}

-	int32 delta_last = update_last_seq(endpoint, seq_one_past_segment, flags);
+	int32 delta_last = update_last_seq(endpoint, seq_one_past_segment, flags, len);
 	endpoint->last_time = current_timestamp;

 	int do_close;