[Snort-users] TCP Reassembly
s_i_d_j at ...131...
Thu Mar 15 12:59:28 EST 2001
I am running this on a Sparc/Solaris 2.6 box. Are there any tcp/ip
parameters i can tune to solve this?
----- Original Message -----
From: "Christopher E. Cramer" <chris.cramer at ...799...>
To: "Siddhartha Jain" <s_i_d_j at ...131...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, March 15, 2001 11:19 PM
Subject: Re: [Snort-users] TCP Reassembly
> It means that the TCP Reassembler may be a bit confused, probably due to
> packet loss. The reassembler allocates space in which to perform
> tcp reassembly. The size of this buffer is based on the known window size
> and how much data you want to keep around at any one time. The
> reassembler creates packets from this buffer when it sees an ACK of the
> data. If you are experiencing packet loss, you might not see the ACK and
> the data may be left in for too long. It is also possible that the server
> has changed its tcp window size causing the screw up.
> The quick and dirty solution is to ignore it. The better solution is to
> upgrade to the version in the CVS which handles memory differently.
> On Thu, 15 Mar 2001, Siddhartha Jain wrote:
> > Hi,
> > I get the following logs in /var/adm/messages :-
> > Mar 15 10:27:15 e220r snort: [!] WARNING: TCP stream reassembler, Server
> > Bytes in Buffer > Buffer Size (29938 > 25144)
> > What does this mean?
> > Siddhartha
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
More information about the Snort-users