> On Sep 12, 2014, at 8:10 AM, Seth Hall <[email protected]> wrote: > > On Sep 11, 2014, at 11:59 AM, Jonathan Siwek <[email protected]> wrote: > >> + // Only report on content gaps for connections that >> + // are in a cleanly established state. In other >> + // states, these can arise falsely due to things >> + // like sequence number mismatches in RSTs, or >> + // unseen previous packets in partial connections. >> + // The one opportunity we lose here is on clean FIN >> + // handshakes, but Oh Well. > > If I'm reading this right, this seems like an undesirable outcome. If Bro > starts and a connection is in the middle, does this mean we wouldn't see any > content gaps for that connection?
Yes, I think that may be the case, but just for the content_gap event, not for telling analyzers there’s a gap in the stream. It’s adjustable by redef'ing BifConst::report_gaps_for_partial. It’s also not new behavior, that comment was attached to some already-existing code that I factored out in to a separate function so I could easily re-use it. Not giving judgement on what behavior should be the default, but changing it shouldn’t be done as part of what I was trying to fix in this commit. - Jon _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
