Re: Making my own IDS... how to detect packet loss ?



On Wed, Jul 15, 2009 at 6:09 PM, Jonathon<thejunkjon@xxxxxxxxx> wrote:
I am writing my own IDS.  I have a packet sniffer + TCP reassembler
that I've written.  For each stream I detect, I have to keep some
state + a buffer of the packets for the stream.  However, a problem
that I've run into is that sometimes packets could get lost (meaning I
do not capture them, but they were actually sent/received between two
hosts on the network).  If I do drop the packets, my current
implementation gets all messed up since I never end up freeing the
resources I've allocated for that stream.  So, lost packets seem to be
the bain of my current implementation.

My question is (assuming all TCP streams), how can I determine whether
a packet is lost by just looking at packets that I currently have in
my buffer?

The packets could come in any order so just because I receive a packet
with seq #N, doesn't mean that a packet with seq #N-1 was sent.

I hope this is the appropriate mailing list for my question.

If you track the values of the Ack's in packets then you'll know when
you've dropped one or more TCP segments which were received by the
other end.

Example:

Assume server sends 3 packets with Sequence numbers of 10, 50 and 100.
But you only see 10 & 100. If the client only Ack's 10, then you
know it didn't see 50 either. But if it Ack's 100 then you know it
saw data you missed.

--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
-- Benjamin Franklin

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194



Relevant Pages

  • Re: win32 - High speed serial streaming code???
    ... > continously outputs 3byte packets 1250 times per second. ... > stream and save data at 115200bps. ... and by the time you look for more data the buffer has overflowed. ...
    (comp.programming)
  • Re: Updating our TCP and socket sysctl values...
    ... remove the buffer bloat issue for tcp transmit buffers. ... Edge routers and other routers in the infrastructure have huge ... verses having to do it for 50 packets of backlog per connection. ... colocated boxes with tons of bw, and servers running out of the house ...
    (freebsd-arch)
  • Re: In-tree version of new FireWire drivers available
    ... Just to recap, the dual buffer receive mode, as described in section ... quadlet aligned amount of header data can be appended into one buffer ... *either* the header buffer or the payload buffer fills up. ... enough to hold headers for all the packets it takes to fill up the ...
    (Linux-Kernel)
  • Re: Deaf CAsyncSocket on Windows Service.
    ... To read them out I need a buffer to ... Short packets at the sender are coalesced into longer packets. ... THe receiver says "I have this much buffer space" and the sender is free to send ... You get an OnReceive notification if there is input data to be read. ...
    (microsoft.public.vc.mfc)
  • Re: Cisco 7204VXR Interface ignored packet
    ... Input queue drops (ignored packets) are usually due to buffers not being ... The buffer defaults are good 98% of the ... 256 max cache size, 256 in cache ... 22496866 hits in cache, 0 misses in cache ...
    (comp.dcom.sys.cisco)