[Bro-Dev] #688: [Fwd] Re: content_gap vs. ack_above_hole
Bro Tracker
bro at tracker.bro-ids.org
Fri Nov 18 14:28:22 PST 2011
#688: [Fwd] Re: [Bro-Dev] content_gap vs. ack_above_hole
---------------------+------------------------
Reporter: robin | Owner:
Type: Task | Status: new
Priority: Normal | Milestone:
Component: Bro | Version: git/master
Resolution: | Keywords: cleanup
---------------------+------------------------
Changes (by robin):
* type: Problem => Task
Old description:
> ----- Forwarded message from Vern Paxson <vern at icir.org> -----
>
> Date: Fri, 18 Nov 2011 11:26:04 -0800
> From: Vern Paxson <vern at icir.org>
> Subject: Re: [Bro-Dev] content_gap vs. ack_above_hole
> Message-Id: <20111118192604.1FE182C4005 at rock.ICSI.Berkeley.EDU>
>
> > Can somebody remind me what exactly the difference between these two
> > is (and/or why we have both?).
>
> Yeah, my fault :-P. As best as I can tell (from revisiting the code),
> content-gap is a superset of ack-above-hole. Content gaps can also occur
> in situations where we're not expecting to see ACKs (for example, due to
> split routing, or because we're not processing traffic from the
> receiver).
> I think merging the two into a single content_gap event would make sense.
>
> Vern
>
> ----- End forwarded message -----
New description:
From: Vern Paxson
Subject: Re: [Bro-Dev] content_gap vs. ack_above_hole
> Can somebody remind me what exactly the difference between these two
> is (and/or why we have both?).
Yeah, my fault :-P. As best as I can tell (from revisiting the code),
content-gap is a superset of ack-above-hole. Content gaps can also occur
in situations where we're not expecting to see ACKs (for example, due to
split routing, or because we're not processing traffic from the receiver).
I think merging the two into a single content_gap event would make sense.
Vern
--
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/688#comment:1>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list