[Oisf-users] How does the TCP reassembler work?

Matthias Vallentin vallentin at icir.org
Sun Aug 21 01:45:04 UTC 2011

I am trying to understand Suricata's TCP reassembler after having
briefly examined the Stream5 implementation of Snort. IIRC, Snort
switched from assembling multiple packets into a large pseudo-packet in
earlier versions to an entirely stream-based approach. By inspecting the
code, I found that Snort abstracts a TCP flow as a series of segments
which can be iterated over.

Does Suricata's reassembler work in the same way, i.e., is it completely
stream-based? When skimming through the code I see functions like

    void StreamTcpPseudoPacketSetupHeader(Packet *, Packet *);
    Packet *StreamTcpPseudoSetup(Packet *parent, uint8_t *pkt, uint32_t len);

that seem to suggest some packetization logic.

Moreover, what is Suricata's strategy in coping with inconsistent
retransmissions, i.e., segments with different data for the same
sequence number space? Does it buffer unacked data and compare
retransmission against the known bytes (which has efficiency issues)?
Does it store a hash of the data (which has boundary issues)?


More information about the Oisf-users mailing list