[Snort-devel] Stream4 reassembly

b d moncomptesecret at ...445...
Mon May 5 12:42:07 EDT 2003


I am trying to understand how Stream4 reassembles TCP segments
into a datagram

more precisely when it decides to flush a reassembled stream using 
FlushStream()

if it encounters the end of the connection then it is a clear boundary
but if the action is ACTION_ACK_CLIENT_DATA or ACTION_ACK_SERVER_DATA
(in TCPAction) then it will use the following test to decide wether to flush 
the stream or not

......
if((ssn->client.last_ack - ssn->client.base_seq) > ssn->flush_point
                   && ubi_trCount(s->dataPtr) > 1)

or
if((ssn->server.last_ack - ssn->server.base_seq) > ssn->flush_point
                   && ubi_trCount(s->dataPtr) > 1)
......

given that flush_point will be a value less than 250 (Bytes I assume)
it seems to me that we would almost always flush after every other packet 
(because of the ubi_trCount() > 1 test)

Is this reasoning correct?

What is the logic behind the values in flush_point[] = {...} in 
spp_stream4.c?

I would have expected the values in flush_points[] to be in the range of 
several thousand bytes (which leads me to believe that I missing an 
important point here)?

any input you might have on this would be greatly apprrciated
thanks





_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail





More information about the Snort-devel mailing list