On Wed, Apr 09, 2003 at 02:57:34PM -0600, Greg Morris wrote:
> I guess if I would have
> just not processed the packet then I would not have had to worry about
> it in the NDPS code.
Yup.
> Either way works for me. I was looking at the
> desegmentation code of other dissectors when I ran into this.
Not all other dissectors that do desegmentation detect retransmissions.
> I didn't
> really think about not passing to the subdissector if retransmitted. Is
> this how the TCP dissector works?
It currently doesn't do a thorough job of detecting retransmissions and
passing retransmitted data only once to subdissectors. If the
retransmission takes place within a reassembly, it should catch that as
that'd be an overlap; however, if there's no reassembly being done, it
doesn't catch retransmissions.
Perhaps it should do so if TCP sequence number analysis is turned on (it
shouldn't necessarily always do it - that'd require a conversation to be
created for every TCP connection, and if it creates a conversation the
first time it sees any segment for a connection, that'd run the risk of
causing it to run out of memory if you try to read a capture of a SYN
flood attack; that issue came up with tcpdump, which, by default,
creates a data structure for every TCP connection so it can show
relative sequence numbers, but that caused problems when trying to read
SYN flood attack captures).