https://inliniac.net/blog/tag/tcp-segmentation/ Recent content in Tcp-Segmentation on Inliniac Hugo en Mon, 31 Jan 2011 20:51:25 +0000 https://inliniac.net/blog/2011/01/31/suricata-ips-improvements/ Mon, 31 Jan 2011 20:51:25 +0000 https://inliniac.net/blog/2011/01/31/suricata-ips-improvements/ <p>January has been a productive month for Suricata, especially for the IPS part of it. I&rsquo;ve quite some time on adding support to the stream engine to operate differently when running inline. This was needed as dropping attacks found in the reassembled stream or the application layer was not reliable. Up until now the stream engine would offer the reassembled stream to the detection engine as soon as it was ACK&rsquo;d. This meant that by definition the packets containing the data had already passed the IPS device. Simply switching to sending un-ACK&rsquo;d data to the detection engine would have it&rsquo;s own set of issues.</p> https://inliniac.net/blog/2007/04/20/snort_inline-and-tcp-segmentation-offloading/ Fri, 20 Apr 2007 16:36:55 +0000 https://inliniac.net/blog/2007/04/20/snort_inline-and-tcp-segmentation-offloading/ <p>Since a short while I have a gigabit setup at home. My laptop has a e1000 Intel NIC, my desktop a Broadcom NIC.While playing with Snort_inline and netpipe-tcp, I noticed something odd. I got tcp packets that had the &lsquo;Don&rsquo;t Fragment&rsquo; option set, but were still bigger than the mtu size of the link. Snort_inline read packets of up to 26kb from the queue, and wireshark and tcpdump were seeing the packets as well. This was only for outgoing packets on the e1000 NIC. The receiving pc saw the packets split up in multiple packets that were honoring the mtu size. This got me thinking that some form of offloading must be taking place and indeed this was the case:</p>