You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Connections that receive out-of-order packets will try to coalesce these packets until they receive the "next sequence" that they've been waiting for; then these contiguous TCP segments are pushed to the "stream"... However we must set a limit to the amount of time we are willing to await the "next sequence"... and if max time has been reached we skip over this next sequence and flush contiguous coalesced packets up to the assembled stream.
Put it another way: gopacket.tcpassembly has got some excellent design... and in their API FlushOlderThan is used for this purpose.
The text was updated successfully, but these errors were encountered:
it turns out that we need to do this correctly to fix a bug with analyzing pcap files. it other words... a pcap file could represent a tcp stream with out of order packets... the "next Sequence" gap may never be filled... but we should still analyze those packets for injection overlap case. and further we should push the stream segments along our normal processing pipeline.
this eventual action of pushing uncoalesced out of order TCP stream segments should then be triggered by the timestamp that is paired with the packet. when processing a pcap file we will utilize the timestamp found in the pcap file, when doing live packet capture we can use the wall clock.
Connections that receive out-of-order packets will try to coalesce these packets until they receive the "next sequence" that they've been waiting for; then these contiguous TCP segments are pushed to the "stream"... However we must set a limit to the amount of time we are willing to await the "next sequence"... and if max time has been reached we skip over this next sequence and flush contiguous coalesced packets up to the assembled stream.
Put it another way: gopacket.tcpassembly has got some excellent design... and in their API FlushOlderThan is used for this purpose.
The text was updated successfully, but these errors were encountered: