https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022022-04-14T08:25:35ZOpen Information Security FoundationSuricata - Documentation #5267: Meaning of insert_list_fail counterhttps://redmine.openinfosecfoundation.org/issues/5267?journal_id=229852022-04-14T08:25:35ZVictor Julienvictor@inliniac.net
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/22985/diff?detail_id=23645">diff</a>)</li></ul> Suricata - Documentation #5267: Meaning of insert_list_fail counterhttps://redmine.openinfosecfoundation.org/issues/5267?journal_id=229862022-04-14T08:55:01ZVictor Julienvictor@inliniac.net
<ul></ul><p>These are spurious retransmissions. We will classify a packet as such if it is a data packet that is entirely before our <code>last_ack</code> or <code>base_seq</code>. <code>base_seq</code> is the sequence number of where our window or reassembled data starts. It can only go up, so anything before it is considered invalid.</p>
<p>I'm working on some code to change the handling of those, see:</p>
<p><a class="external" href="https://github.com/OISF/suricata/pull/7166/commits/44e6ae711b8fc0357226903f500fcf1514bba0e0">https://github.com/OISF/suricata/pull/7166/commits/44e6ae711b8fc0357226903f500fcf1514bba0e0</a><br /><a class="external" href="https://github.com/OISF/suricata/pull/7166/commits/8bf5ed3567288dc481a53fcd2b88c86ab7b51689">https://github.com/OISF/suricata/pull/7166/commits/8bf5ed3567288dc481a53fcd2b88c86ab7b51689</a></p> Suricata - Documentation #5267: Meaning of insert_list_fail counterhttps://redmine.openinfosecfoundation.org/issues/5267?journal_id=229872022-04-14T10:11:54ZSachin Desai
<ul></ul><p>Thanks a ton for the quick response. This helps.</p>