I'm trying to build a test for packet injection, which Bro should complain about as it generates retransmission inconsistencies and/or data after RST or other TCP weirdnesses.

Yet in my simple test trace (attached) and this simple policy script:

inject.tcpdump (14.3 KB)

Probably, but didn’t look close at the particular trace you gave — if it has been ACK’d, I don’t expect the reassembler to keep that data around and so can’t compare with the contents of a future overlapping segment.

- Jon

Yes it has. In this case, the injector in my test is very close to the client, but the server is far away, so the ACK and FIN appear from the client before the real packet from the server.

if it has been ACK'd, I don't expect the reassembler to keep that data around

Indeed, it has to release the data upon ACK in order to not wind up buffering
entire byte streams.