From 2fc75009f421b8e3bb73b9a8eb688c54f15b1c9b Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 10 Jul 2025 12:39:13 +0100
Subject: [PATCH] Documentation: connection_SYN_packet

Slightly clarify documentation related to the connection_SYN_packet
event.
---
 scripts/base/init-bare.zeek          | 2 +-
 src/analyzer/protocol/tcp/events.bif | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index bcaa9928bd..961b2bcf4f 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -1043,7 +1043,7 @@ type SYN_packet: record {
 	win_size: count;	##< The window size from the TCP header.
 	win_scale: int;	##< The window scale option if present, or -1 if not.
 	MSS: count;	##< The maximum segment size if present, or 0 if not.
-	SACK_OK: bool;	##< True if the *SACK* option is present.
+	SACK_OK: bool;	##< True if the *SACK* option (Selective ACKnowledgement) is present.
 	TSval: count &optional;	##< The TCP TS value if present.
 	TSecr: count &optional;	##< The TCP TS echo reply if present.
 };
diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif
index e17171c12d..82901ab0cc 100644
--- a/src/analyzer/protocol/tcp/events.bif
+++ b/src/analyzer/protocol/tcp/events.bif
@@ -155,7 +155,8 @@ event connection_reset%(c: connection%);
 event connection_pending%(c: connection%);
 
 ## Generated for a SYN packet. Zeek raises this event for every SYN packet seen
-## by its TCP analyzer.
+## by its TCP analyzer. This includes packets that have other flags set - like
+## in the case of SYN-ACK packets.
 ##
 ## c: The connection.
 ##