From: Victor Julien <victor@inliniac.net>
Date: Mon, 21 Sep 2015 13:01:56 +0000 (+0200)
Subject: stream: improve retransmission detection
X-Git-Tag: suricata-3.0RC1~138
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff769b73a77bcaaa234a9b32f1977045af51cc2b;p=thirdparty%2Fsuricata.git

stream: improve retransmission detection

Consider packets starting before last_ack and ending after it also
to be retransmissions. This way we can see if they are having
different data.
---

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index a4dcf41443..9dce70709e 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -798,6 +798,13 @@ static int StreamTcpPacketIsRetransmission(TcpStream *stream, Packet *p)
     if (p->payload_len == 0)
         SCReturnInt(0);
 
+    /* retransmission of already partially ack'd data */
+    if (SEQ_LT(TCP_GET_SEQ(p), stream->last_ack) && SEQ_GT((TCP_GET_SEQ(p) + p->payload_len), stream->last_ack))
+    {
+        StreamTcpSetEvent(p, STREAM_PKT_RETRANSMISSION);
+        SCReturnInt(1);
+    }
+
     /* retransmission of already ack'd data */
     if (SEQ_LEQ((TCP_GET_SEQ(p) + p->payload_len), stream->last_ack)) {
         StreamTcpSetEvent(p, STREAM_PKT_RETRANSMISSION);
@@ -810,8 +817,8 @@ static int StreamTcpPacketIsRetransmission(TcpStream *stream, Packet *p)
         SCReturnInt(2);
     }
 
-    SCLogDebug("seq %u payload_len %u => %u, last_ack %u", TCP_GET_SEQ(p),
-            p->payload_len, (TCP_GET_SEQ(p) + p->payload_len), stream->last_ack);
+    SCLogDebug("seq %u payload_len %u => %u, last_ack %u, next_seq %u", TCP_GET_SEQ(p),
+            p->payload_len, (TCP_GET_SEQ(p) + p->payload_len), stream->last_ack, stream->next_seq);
     SCReturnInt(0);
 }