I really like those ideas, especially the logarithmic count.
How much would it cost to have an event fired when those thresholds are crossed?
> On Jun 15, 2018, at 10:41 AM, Vern Paxson <v...@corelight.com> wrote:
>
> I'm working on two enhancements to the $history tracking for connections
> that thought I'd tee them up for comments.
>
> (1) A new history element, 'W'/'w', which means that a TCP receiver
> advertised a zero window, indicating that the corresponding process
> was unable to keep up with the incoming data. (This element is omitted
> in cases where zero windows aren't problematic: initial SYNs, and after
> FINs or RSTs.)
>
> (2) A notion of "logarithmic counts" for history events: for certain
> events ('C' = checksum, 'T' = retransmission, and 'W' = zero window)
> the count is repeated on the 10th/100th/1000th/etc. occurrence. So a
> history value of 'ttt' means that the responder sent somewhere between
> 100 and 999 retransmissions. This is useful because for large
> connections, a single checksum error, retransmission, or zero window
> is much less significant for analyzing performance issues than a whole
> bunch of these.
>
> Comments?
>
> Vern
> _______________________________________________
> bro-dev mailing list
> bro-dev@bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
