[Oisf-users] Lots of "TCP duplicated option" (SID 2200037) since upgrade to 3.1.1

[Brian Keefer]

On Jul 25, 2016, at 3:44 PM, Peter Manev <petermanev at gmail.com> wrote:

> On Mon, Jul 25, 2016 at 7:15 PM, Brian Keefer <chort at effu.se> wrote:
>> I’m curious if anyone else has run into this. Previously I was on 3.0 RC (I don’t remember which one exactly). Ever since I upgrade our sensors to 3.1.1-release I’ve been seeing hundreds of thousands of “TCP duplicated option” alerts per day. I’m in the process of pulling out some PCAPs to try to see what exactly is going on. It appears the vast majority are being generated by Ubuntu boxes running Postfix, and CentOS boxes running Nagios.
>> 
> 
> It would be very helpful to share the pcap that can be used to further
> analyze that case.
> 
>> --
>> bk
>> 
> 
> -- 
> Regards,
> Peter Manev

In the mean time, I have a question about how this event is supposed to get set. I read the code in decode-tcp.c. I'm no expert in C code or in TCP/IP data structures, so it's not clear to me why it's setting a duplicate option event when DecodeTCPOptions finds and option type value that isn't 0. In the one triggering packet I looked at so far, both sides of the handshake set wscale for instance, but tcpdump didn't show that repeating on the same side again, so I'm a bit lost as to what the event is actually supposed to signify.

--
bk