Change TCP analysis to process connections without the initial SYN as

non-partial connections. Before, if we saw a responder-side SYN/ACK, but had not seen the initial orginator-side SYN, Bro would treat the connection as partial, meaning that most application-layer analyzers would refuse to inspect the payload. That was unfortunate because all payload data was actually there (and even passed to the analyzers). This change make Bro consider these connections as complete, so that analyzers will just normally process them. The leads to couple more connections in the test-suite to now being analyzed. Addresses #1492. (I used an HTTP trace for debugging instead of the HTTPS trace from the ticket, as the clear-text makes it easier to track the data flow).
2025-10-12 11:38:20 +00:00 · 2016-07-11 17:06:03 -07:00 · 2016-07-11 17:06:03 -07:00 · 39734255be
commit 39734255be
parent fa83497f26
4 changed files with 26 additions and 3 deletions
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@ -761,6 +761,17 @@ void TCP_Analyzer::UpdateInactiveState(double t,
 			// consider the ack as forming a partial
 			// connection.
 			;
+
+		else if ( flags.ACK() && peer->state == TCP_ENDPOINT_ESTABLISHED )
+			{
+			// No SYN packet from originator but SYN/ACK from
+			// responder, and now a pure ACK. Problably means we
+			// just missed that initial SYN. Let's not treat it
+			// as partial and instead establish the connection.
+			endpoint->SetState(TCP_ENDPOINT_ESTABLISHED);
+			is_partial = 0;
+			}
+
 		else
 			{
 			endpoint->SetState(TCP_ENDPOINT_PARTIAL);