[Snort-devel] Re: Quick question on Stream4 code.
cmg at ...402...
Fri Aug 23 14:02:04 EDT 2002
"Vinay A. Mahadik" <VAMahadik at ...1463...> writes:
> Here's my confusion - isn't it possible that at around 4% (say) packet
> dropping, we see the first non-SYN packet of a session as coming from
> the server and not from the client? So one situation would be, we miss
> the client's SYN, the server's SYN-ACK, then the client's ACK and any
> possible request from client. And we don't miss the first response 'ACK'
> from the server - as a matter of chance for a particular session.
Then we've picked the response the wrong way. It is possible to be
wrong then but its not very likely to miss both the GET and the
response. The real problem would be if we lost SYNs in preference to
SYN/ACK's and they should be the same sized packets so the odds should
be the same.
> I am not sure if Stream4's detection capability is affected by this
> choice, but I was obsessing over another problem which involved knowing
> the 'direction' of a session based on just a 'partial' view of a
It's built in favor of the more normal way. If you would like to
instrument test cases for it, I'll be glad to point you in the right
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.
More information about the Snort-devel