[Bro-Dev] content_gap vs. ack_above_hole

Vern Paxson vern at icir.org
Fri Nov 18 11:26:04 PST 2011

> Can somebody remind me what exactly the difference between these two
> is (and/or why we have both?).

Yeah, my fault :-P.  As best as I can tell (from revisiting the code),
content-gap is a superset of ack-above-hole.  Content gaps can also occur
in situations where we're not expecting to see ACKs (for example, due to
split routing, or because we're not processing traffic from the receiver).
I think merging the two into a single content_gap event would make sense.


More information about the bro-dev mailing list