Add ability to determine source-side or destination-side of biflows based on a MAC address or set of MAC addresses; i.e., link left-side/right-side biflows.

It's possible with crafted packets to get the TCP options parser to skip over tcph_len and start parsing the entirety of address space as options. Check and fix.

Add the ability to define a set of prefixes which should always be treated as source addresses for purposes of biflow export (i.e., perimeter biflow export as in RFC 5103)

In order to benefit from runtime configuration and efficient metering, we need to actually connect the qofconfig enable_ flags to allocation/activation of features in the core.

Loss event counting is presently done using a SEQ-side algorithm only; looking at ACK and SACK information can improve loss event detection as well as reduce observation loss overcounting.

Seeing lots flows with more bursts than losses, which doesn't make any sense. Track this down.

Most of the services used by QoF from glib-2.0 can be replaced with lighter weight libraries; this would be helpful in scaling QoF down to smallish devices.

The plan here would be first to fork libfixbuf and remove glib there, maybe pulling libfixbuf inline; second to throw away libairframe; third replace the hashtables in the pickable queue; fourth rip everything else out.

Add ability to decode radiotap headers. May make sense to store radio SNR and rate for local latency analysis.

We'll be using CERT and trammell.ch ESIEs for a while; should use 5610 to export information about these.

Initial versions of what became qofdyn had RTT-based burst loss count per flow; this was removed when we started thinking about RTT-based ATO. This could be added back quickly.

rtt_m in one direction is rtt_c in the other, and vice versa; tracking RTT per uniflow as we do at present makes little sense. Rework qofdyn RTT tracking into a single structure per biflow.

Estimate the initial congestion window as the length of the first run of packets by IAT. Since this isn't really initcwin, call the resulting value initialRunOctetCount or something similar.

Add a heuristic (involving packet size, delay, IAT series, etc) to reject an RTTC measurement made overlong by application delay, cycling back to RTTM without sampling.

if template: is missing in the yaml file (or if the yaml file is not given), every IE will be exported, but no optional features will be enabled. This is wrong. Provide a default enable/template that is reasonable (probably just 5-tuple and counters, SiLK-stype).

Add a counter for pure ACKs (which is likely to be equal to layer 4 minus layer 3 packet counts), and a counter for dup ACKs. Probably want to store this in reverse sense, so we can compare dupack and rtx loss indication on the same flow direction.