[Bro-Dev] #688: [Fwd] Re: content_gap vs. ack_above_hole
Bro Tracker
bro at tracker.bro-ids.org
Fri Nov 18 14:25:50 PST 2011
#688: [Fwd] Re: [Bro-Dev] content_gap vs. ack_above_hole
---------------------+-----------------------
Reporter: robin | Type: Problem
Status: new | Priority: Normal
Component: Bro | Version: git/master
Keywords: cleanup |
---------------------+-----------------------
----- Forwarded message from Vern Paxson <vern at icir.org> -----
Date: Fri, 18 Nov 2011 11:26:04 -0800
From: Vern Paxson <vern at icir.org>
Subject: Re: [Bro-Dev] content_gap vs. ack_above_hole
Message-Id: <20111118192604.1FE182C4005 at rock.ICSI.Berkeley.EDU>
> Can somebody remind me what exactly the difference between these two
> is (and/or why we have both?).
Yeah, my fault :-P. As best as I can tell (from revisiting the code),
content-gap is a superset of ack-above-hole. Content gaps can also occur
in situations where we're not expecting to see ACKs (for example, due to
split routing, or because we're not processing traffic from the receiver).
I think merging the two into a single content_gap event would make sense.
Vern
----- End forwarded message -----
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/688>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list