[Bro-Dev] [Bro-Commits] [git/bro] topic/jsiwek/bit-1246: Fix issue w/ TCP reassembler not delivering some segments. (f1cef9d)

Siwek, Jon jsiwek at illinois.edu
Fri Sep 12 06:44:34 PDT 2014


> On Sep 12, 2014, at 8:10 AM, Seth Hall <seth at icir.org> wrote:
> 
> On Sep 11, 2014, at 11:59 AM, Jonathan Siwek <jsiwek at ncsa.illinois.edu> wrote:
> 
>> +	// Only report on content gaps for connections that
>> +	// are in a cleanly established state.  In other
>> +	// states, these can arise falsely due to things
>> +	// like sequence number mismatches in RSTs, or
>> +	// unseen previous packets in partial connections.
>> +	// The one opportunity we lose here is on clean FIN
>> +	// handshakes, but Oh Well.
> 
> If I'm reading this right, this seems like an undesirable outcome.  If Bro starts and a connection is in the middle, does this mean we wouldn't see any content gaps for that connection?

Yes, I think that may be the case, but just for the content_gap event, not for telling analyzers there’s a gap in the stream.  It’s adjustable by redef'ing BifConst::report_gaps_for_partial.  It’s also not new behavior, that comment was attached to some already-existing code that I factored out in to a separate function so I could easily re-use it.  Not giving judgement on what behavior should be the default, but changing it shouldn’t be done as part of what I was trying to fix in this commit.

- Jon



More information about the bro-dev mailing list