[Oisf-users] TCP reassembly gaps
Seth Hall
seth at icir.org
Sat Apr 21 12:02:52 UTC 2012
On Apr 21, 2012, at 6:19 AM, Chris Wakelin wrote:
> The other odd thing of course is that the switch is VLAN-tagging packets
> in one direction only, which might be confusing things.
I would kind of expect RSS to get messed up with the VLAN tagged packets in one direction. Have you tried disabling that?
For Bro we have a script that does the gap counting and reporting in production. It's the same technique that wireshark uses for it's gap reporting, but you can run it all the time on live traffic with Bro. The script is named "misc/capture-loss" and I can help you out with it if you're interested.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Oisf-users
mailing list