[Snort-users] TCP Reassembly

Christopher E. Cramer chris.cramer at ...799...
Thu Mar 15 12:49:04 EST 2001


It means that the TCP Reassembler may be a bit confused, probably due to
packet loss.  The reassembler allocates space in which to perform
tcp reassembly.  The size of this buffer is based on the known window size
and how much data you want to keep around at any one time.  The
reassembler creates packets from this buffer when it sees an ACK of the
data.  If you are experiencing packet loss, you might not see the ACK and
the data may be left in for too long.  It is also possible that the server
has changed its tcp window size causing the screw up.  

The quick and dirty solution is to ignore it.  The better solution is to
upgrade to the version in the CVS which handles memory differently.

-Chris

On Thu, 15 Mar 2001, Siddhartha Jain wrote:

> Hi,
> 
> I get the following logs in /var/adm/messages :-
> 
> Mar 15 10:27:15 e220r snort: [!] WARNING: TCP stream reassembler, Server
> Bytes in Buffer > Buffer Size (29938 > 25144)
> 
> What does this mean?
> 
> Siddhartha
> 
> 
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 





More information about the Snort-users mailing list