Hosting Provided By

[Snort-devel] beginner, please help. I have a puzzle of StoreStreamPkt() in spp_stream4.c

From: Ôø Ð¡Á¢ <e_zxl(at)hotmail.com>
Date: Tue Jul 22 2003 - 02:34:06 EDT

Hello,

I think there's something wrong when snort tries to reassemble TCP stream in StoreStreamPkt() function in spp_stream4.c. In StoreStreamPkt(), if it finds out the packet we just receive is un-ack'd, then it looks for this packet in the tree like this:

returned = (CStreamPacketData *) s->dataPtr->SptFind((ItemPtr)spd);

If it finds a packet in the tree which has the same sequence number as that of this new packet, which means the "returned" variable is not NULL, then it compares the two packets' data size. There're three possibilities: equal, larger or smaller. In all these three possibilities, if the end sequence number (that is the sequence number plus data size) of the new packet is larger than the sequence number we expect to receive, then remove the old one and insert the new one into the tree. If it doesn't find a packet in the tree which has the same sequence number as that of the new packet , which means the "returned" variable is NULL, then just insert the new packet into the tree. In one word, StoreStreamPkt() uses a lot of conditional sentences just to do one thing: if it finds a packet already in the tree has the same sequence number as the packet we just receive, remove the old one and insert the new one; if it doesn't, just insert the new one into the tree.

The reason for removing the old packet in the tree is that retransmitted segments can include more or less data than the original. But the point is it's not enough just using removing and inserting mechanism. In "TCP/IP Illustrated Volume 2: The Implementation" Stevens gave an example of data out of order in chapter 27 "TCP Function"( exactly in 27.9.2 "TCP_REASS Function") like this: there're already two segments existing, one containing octets from 4 to 8, the other containing octets from 10 to15. Then the new segments arrives and it containes octets from 7 to 10. See, there're repeated octets in all these three segments. How can StoreStreamPkt() deal with this case by just using removing and inserting mechanism--no old one in the tree so just insert the new one into the tree or an old one already there just remove it and inset the new one?

Best regards

Daisy

Ê¹ÓÃ MSN Messenger ÓëÁª»úµÄÅóÓÑ½øÐÐ½»Á÷ ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-devel mailing list Snort-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Tue Jul 22 13:45:06 2003

This message: [ Message body ]
Next message: Ôø Ð¡Á¢: "[Snort-devel] beginners,pls help. A puzzle about StoreStreamPkt() in spp_stream4.c"
Previous message: Atul Shrivastava: "[Snort-devel] Cisco IOS Interface Blocked by IPv4 Packets"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:06 EDT