[Snort-users] Logging retransmitted pkts.
mkettler at ...4108...
Tue Feb 1 13:20:19 EST 2005
At 09:33 PM 1/31/2005, Mike Mestnik wrote:
>I see this as being one more field in the connection tble for the current
>end of the window. If we see data less then this number it's old data
>being sent again.
True.. As I said, you might be able to hack snort's stream4 to do this.
However, since it has nothing to do with intrusion detection, it really has
nothing to do with Snort's purpose in life. Hence, it's a waste of memory
and CPU time for Snort to check for this, no matter how small the overhead.
Don't get me wrong in thinking I'm staying such a patch is useless. It
would be useful for network analysis and monitoring, but it's not useful to
I think the main reason such a tool does not exist is visible when you look
at the market of existing products:
I know of no sniffers other than IDS's maintain any sort of state table at
all. tcpdump, etherreal, etc are stateless. Thus, plain "packet dump" tools
can't do this. They are trying to be fast and easily readable, nothing more.
Many IDS's are stateful, but are focused on a completely different mission
and need to be tuned to be as fast as possible for that mission. Thus IDS's
won't do this because it slightly hurts their performance and offers no
benefit in terms of their actual purpose.
I don't know of any "stateful network performance analysis" products, which
is where such a tool as you describe would fit. Perhaps there is such a
tool out there, but it's not within my knowledge.
More information about the Snort-users