diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc index 0095947071..b1d7dca012 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -536,7 +536,6 @@ void TCP_Reassembler::AckReceived(uint64 seq) { ++tot_gap_events; tot_gap_bytes += num_missing; - tcp_analyzer->Event(ack_above_hole); } } diff --git a/src/analyzer/protocol/tcp/functions.bif b/src/analyzer/protocol/tcp/functions.bif index 75353180c6..5ae5c5b86f 100644 --- a/src/analyzer/protocol/tcp/functions.bif +++ b/src/analyzer/protocol/tcp/functions.bif @@ -91,7 +91,7 @@ function get_resp_seq%(cid: conn_id%): count ## contents of individual packets. Reordering and duplicates are ## removed. If any data is missing, the recording stops at the ## missing data; this can happen, e.g., due to an -## :bro:id:`ack_above_hole` event. +## :bro:id:`content_gap` event. ## ## .. bro:see:: get_contents_file set_record_packets contents_file_write_failure function set_contents_file%(cid: conn_id, direction: count, f: file%): bool diff --git a/src/event.bif b/src/event.bif index 49afb86fa4..f568de902b 100644 --- a/src/event.bif +++ b/src/event.bif @@ -314,29 +314,6 @@ event packet_contents%(c: connection, contents: string%); ## .. bro:see:: tcp_rexmit tcp_contents event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: string%); -## Generated when a TCP endpoint acknowledges payload that Bro never saw. -## -## c: The connection. -## -## .. bro:see:: content_gap -## -## .. note:: -## -## Seeing an acknowledgment indicates that the responder of the connection -## says it has received the corresponding data. If Bro did not, it must have -## either missed one or more packets, or the responder's TCP stack is broken -## (which isn't unheard of). In practice, one will always see a few of these -## events in any larger volume of network traffic. If there are lots of them, -## however, that typically means that there is a problem with the monitoring -## infrastructure such as a tap dropping packets, split routing on the path, -## or reordering at the tap. -## -## This event reports similar situations as :bro:id:`content_gap`, though -## their specifics differ slightly. Often, however, both will be raised for -## the same connection if some of its data is missing. We should eventually -## merge the two. -event ack_above_hole%(c: connection%); - ## Generated when Bro detects a gap in a reassembled TCP payload stream. This ## event is raised when Bro, while reassembling a payload stream, determines ## that a chunk of payload is missing (e.g., because the responder has already @@ -350,8 +327,6 @@ event ack_above_hole%(c: connection%); ## ## length: The number of bytes missing. ## -## .. bro:see:: ack_above_hole -## ## .. note:: ## ## Content gaps tend to occur occasionally for various reasons, including @@ -359,11 +334,6 @@ event ack_above_hole%(c: connection%); ## means that there is a problem with the monitoring infrastructure such as ## a tap dropping packets, split routing on the path, or reordering at the ## tap. -## -## This event reports similar situations as :bro:id:`ack_above_hole`, though -## their specifics differ slightly. Often, however, both will be raised for -## a connection if some of its data is missing. We should eventually merge -## the two. event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); ## Generated when a protocol analyzer confirms that a connection is indeed