Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 00:58:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Improve TCP FIN retransmission handling.

Browse source 
In the case multiple FIN packets are seen from a TCP endpoint (e.g.
when one is retransmitted), only the first counted towards a byte in the
sequence space.  This could cause a subsequent FIN packet to induce an
incorrect wrap around in the sequence numbers (e.g.  the retransmitted
FIN packet now is one sequence number behind the the first) and
misleadingly large connection sizes.  The change is to always treat a
FIN packet as counting one byte in to the sequence space.
This commit is contained in:
Jon Siwek 2014-01-24 15:51:58 -06:00
parent 430cf311e9
commit 5b3573394e
4 changed files with 14 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/analyzer/protocol/tcp/TCP.cc
View file

@ -373,14 +373,11 @@ void TCP_Analyzer::ProcessSYN(const IP_Hdr* ip, const struct tcphdr* tp,
void TCP_Analyzer::ProcessFIN(double t, TCP_Endpoint* endpoint,
int& seq_len, uint32 base_seq)
{
if ( endpoint->FIN_cnt == 0 )
{
++seq_len; // FIN consumes a byte of sequence space
++endpoint->FIN_cnt; // remember that we've seen a FIN
}
++seq_len; // FIN consumes a byte of sequence space.
++endpoint->FIN_cnt; // remember that we've seen a FIN
else if ( t < endpoint->last_time + tcp_storm_interarrival_thresh &&
++endpoint->FIN_cnt == tcp_storm_thresh )
if ( t < endpoint->last_time + tcp_storm_interarrival_thresh &&
endpoint->FIN_cnt == tcp_storm_thresh )
Weird("FIN_storm");
// Remember the relative seq in FIN_seq.