[Snort-users] TCP Reassembly

Siddhartha Jain s_i_d_j at ...131...
Thu Mar 15 12:59:28 EST 2001


I am running this on a Sparc/Solaris 2.6 box. Are there any tcp/ip
parameters i can tune to solve this?

Siddhartha

----- Original Message -----
From: "Christopher E. Cramer" <chris.cramer at ...799...>
To: "Siddhartha Jain" <s_i_d_j at ...131...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, March 15, 2001 11:19 PM
Subject: Re: [Snort-users] TCP Reassembly


>
> It means that the TCP Reassembler may be a bit confused, probably due to
> packet loss.  The reassembler allocates space in which to perform
> tcp reassembly.  The size of this buffer is based on the known window size
> and how much data you want to keep around at any one time.  The
> reassembler creates packets from this buffer when it sees an ACK of the
> data.  If you are experiencing packet loss, you might not see the ACK and
> the data may be left in for too long.  It is also possible that the server
> has changed its tcp window size causing the screw up.
>
> The quick and dirty solution is to ignore it.  The better solution is to
> upgrade to the version in the CVS which handles memory differently.
>
> -Chris
>
> On Thu, 15 Mar 2001, Siddhartha Jain wrote:
>
> > Hi,
> >
> > I get the following logs in /var/adm/messages :-
> >
> > Mar 15 10:27:15 e220r snort: [!] WARNING: TCP stream reassembler, Server
> > Bytes in Buffer > Buffer Size (29938 > 25144)
> >
> > What does this mean?
> >
> > Siddhartha
> >
> >
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> >


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list