[Zeek-Dev] History or explaination of default analyzer handling of isPartial and hasGap

Seth Hall seth at corelight.com
Thu May 9 08:53:04 PDT 2019



On 9 May 2019, at 10:08, Otto Fowler wrote:

> The analyzers, from what I can see, all have pretty much the same 
> handling
> for isPartial() and hasGap in DeliverStream().
>
> I was wondering if anyone could explain or give some history behind 
> why
> that became the default and what the issues were before, or point to 
> some
> documentation.

It mostly became that way due to copying code from older analyzers as 
new ones were written, but there are some reasons why it still makes 
sense.  Most of the protocol analyzers today can't resync if they miss 
any data and they have the related issue that they can't synchronize to 
the stream correctly if they didn't see the beginning.  As analyzers 
begin to acquire the ability to sychronize to streams, many of these 
conditionals that stop analysis will begin to disappear because there 
won't be a point anymore where irregularities like packet loss need to 
lead to stopping analysis.

We've been thinking about this for a long time and there are some 
analyzers (the SMB analyzer being the biggest example) that deals just 
fine with stream resychronization if you'd like to see something that 
doesn't have the same handling. We're hoping to have a broader and 
easier approach at this problem eventually, just nothing ready yet.

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com


More information about the zeek-dev mailing list