You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by tdunning <gi...@git.apache.org> on 2018/01/03 00:30:51 UTC
[GitHub] drill pull request #1080: Add acknowledgement sequence number and flags fiel...
GitHub user tdunning opened a pull request:
https://github.com/apache/drill/pull/1080
Add acknowledgement sequence number and flags fields.
This pull request relates to DRILL-5432 but is not ready to merge
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/tdunning/drill master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/drill/pull/1080.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1080
----
commit af548bb918c6ac7773dab0fc9509db2142979401
Author: Ted Dunning <te...@...>
Date: 2018-01-03T00:20:35Z
Add acknowledgement sequence number and flags fields.
----
---
[GitHub] drill issue #1080: Add acknowledgement sequence number and flags fields.
Posted by tdunning <gi...@git.apache.org>.
Github user tdunning commented on the issue:
https://github.com/apache/drill/pull/1080
To follow sequences, group by session id, order by time or sequence number.
This assumes ports are not reused to the same host very often. Will break
occasionally under odd conditions such as super high connection rate behind
a broken proxy with no keep alive.
On Jan 2, 2018 7:41 PM, "Charles S. Givre" <no...@github.com> wrote:
> Hi Ted,
> Thanks for doing this. This looks really great! The PCAP files came from
> here: https://github.com/chrissanders/packets. The author said that they
> are free to use, but asks for retribution.
>
> When I started poking at this, and my original thought was to add a
> boolean column for each TCP flag which would facilitate analysis, as well
> as a field which contains all the flags. My original thought was that would
> enable you to quickly detect things like SYN scans and the like. I've been
> going through Practical Packet Analysis by Chris Sanders and trying to do
> some of the same things he does in Wireshark with Drill. The next thing I
> was going to try to do was figure out a way of getting Drill to follow
> sequences.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/drill/pull/1080#issuecomment-354932156>, or mute
> the thread
> <https://github.com/notifications/unsubscribe-auth/AAPSer4NlGCG2NVsDPLLmmNzAwBy88Knks5tGvbjgaJpZM4RRO_1>
> .
>
---
[GitHub] drill pull request #1080: Add acknowledgement sequence number and flags fiel...
Posted by tdunning <gi...@git.apache.org>.
Github user tdunning closed the pull request at:
https://github.com/apache/drill/pull/1080
---
[GitHub] drill issue #1080: Add acknowledgement sequence number and flags fields.
Posted by cgivre <gi...@git.apache.org>.
Github user cgivre commented on the issue:
https://github.com/apache/drill/pull/1080
Hi Ted,
Thanks for doing this. This looks really great! The PCAP files came from here: https://github.com/chrissanders/packets. The author said that they are free to use, but asks for retribution.
When I started poking at this, and my original thought was to add a boolean column for each TCP flag which would facilitate analysis, as well as a field which contains all the flags. My original thought was that would enable you to quickly detect things like SYN scans and the like. I've been going through `Practical Packet Analysis` by Chris Sanders and trying to do some of the same things he does in Wireshark with Drill. The next thing I was going to try to do was figure out a way of getting Drill to follow sequences.
---
[GitHub] drill issue #1080: Add acknowledgement sequence number and flags fields.
Posted by tdunning <gi...@git.apache.org>.
Github user tdunning commented on the issue:
https://github.com/apache/drill/pull/1080
The Travis failure appears unrelated to this pull request.
---