[Zeek-Dev] [EXT] Re: connection $history - 'g' for gap

McMahon, Kevin J kmcmahon at mitre.org
Wed Apr 10 12:36:21 PDT 2019


Agreed, but I think there is broader use for knowing, from the conn.log, that there were gaps.  I think the 'g' character would address that.

I've always loved the history field and have found numerous uses for it over the years.

Kevin


-----Original Message-----
From: vern at ICIR.org <vern at ICIR.org> On Behalf Of Vern Paxson
Sent: Wednesday, April 10, 2019 9:30 AM
To: McMahon, Kevin J <kmcmahon at mitre.org>
Cc: anthony kasza <anthony.kasza at gmail.com>; Jim Mellander <jmellander at lbl.gov>; zeek-dev at zeek.org
Subject: Re: [EXT] Re: [Zeek-Dev] connection $history - 'g' for gap 

> That could get very messy in the real world.  How about start of first 
> gap,=  length of first gap, total number of gaps?

I think if the goal is to know whether DPD failed due to content gaps, much better than trying to infer that from a set of gap information would be for dpd.log to include "no DPD decision because ran into a content gap"
or such.

		Vern



More information about the zeek-dev mailing list