[Zeek-Dev] [EXT] Re: connection $history - 'g' for gap
McMahon, Kevin J
kmcmahon at mitre.org
Wed Apr 10 12:36:21 PDT 2019
Agreed, but I think there is broader use for knowing, from the conn.log, that there were gaps. I think the 'g' character would address that.
I've always loved the history field and have found numerous uses for it over the years.
Kevin
-----Original Message-----
From: vern at ICIR.org <vern at ICIR.org> On Behalf Of Vern Paxson
Sent: Wednesday, April 10, 2019 9:30 AM
To: McMahon, Kevin J <kmcmahon at mitre.org>
Cc: anthony kasza <anthony.kasza at gmail.com>; Jim Mellander <jmellander at lbl.gov>; zeek-dev at zeek.org
Subject: Re: [EXT] Re: [Zeek-Dev] connection $history - 'g' for gap
> That could get very messy in the real world. How about start of first
> gap,= length of first gap, total number of gaps?
I think if the goal is to know whether DPD failed due to content gaps, much better than trying to infer that from a set of gap information would be for dpd.log to include "no DPD decision because ran into a content gap"
or such.
Vern
More information about the zeek-dev
mailing list