[Zeek] tcp partial connections
Palumbo Mauro
mauro.palumbo at aizoon.it
Thu Nov 28 07:02:38 PST 2019
Hi everybody,
I have noticed that in many app level analyzers there is a sort of "safety check" in the method DeliverStream which essentially returns when the tcp session is partial, i.e.
if ( TCP() && TCP()->IsPartial() )
return;
This is true for example for the HTTP, SSH, SSL analyzers and more. My understanding is that this is to prevent app layer analyzers or scripts relying on them from breaking down or missing some information when processing packets with possible missing bytes.
Am I right? How much reliable is this check TCP()->IsPartial() for partial tcp sessions in the tcp analyzer?
Thanks,
Mauro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191128/13e48532/attachment.html
More information about the Zeek
mailing list