[Bro-Dev] content_gap vs. ack_above_hole
Vern Paxson
vern at icir.org
Fri Nov 18 11:26:04 PST 2011
> Can somebody remind me what exactly the difference between these two
> is (and/or why we have both?).
Yeah, my fault :-P. As best as I can tell (from revisiting the code),
content-gap is a superset of ack-above-hole. Content gaps can also occur
in situations where we're not expecting to see ACKs (for example, due to
split routing, or because we're not processing traffic from the receiver).
I think merging the two into a single content_gap event would make sense.
Vern
More information about the bro-dev
mailing list