mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Removing ack_above_hole event.
This was a subset of content_gap and led to plenty noise. Addresses BIT-688.
This commit is contained in:
Robin Sommer
parent
ca3f7eadbe
commit
75e3f9bc69
6 changed files with 15 additions and 38 deletions
5
CHANGES
5
CHANGES
|
|
@ -1,4 +1,9 @@
|
||||||
|
|
||||||
|
2.4-680 | 2016-07-06 09:18:21 -0700
|
||||||
|
|
||||||
|
* Remove ack_above_hole() event, which was a subset of content_gap
|
||||||
|
and led to plenty noise. Addresses BIT-688. (Robin Sommer)
|
||||||
|
|
||||||
2.4-679 | 2016-07-05 16:35:53 -0700
|
2.4-679 | 2016-07-05 16:35:53 -0700
|
||||||
|
|
||||||
* Fix segfault when an existing enum identifier is added again with
|
* Fix segfault when an existing enum identifier is added again with
|
||||||
|
|
|
||||||
13
NEWS
13
NEWS
|
|
@ -25,23 +25,23 @@ Log Changes
|
||||||
|
|
||||||
- DNS
|
- DNS
|
||||||
|
|
||||||
- New 'rtt' field to indicate the round trip time between when a
|
- New 'rtt' field to indicate the round trip time between when a
|
||||||
request was sent and when a reply started.
|
request was sent and when a reply started.
|
||||||
|
|
||||||
- SMTP
|
- SMTP
|
||||||
|
|
||||||
- New 'cc' field which includes the 'Cc' header from MIME messages
|
- New 'cc' field which includes the 'Cc' header from MIME messages
|
||||||
sent over SMTP.
|
sent over SMTP.
|
||||||
|
|
||||||
- Changes in 'mailfrom' and 'rcptto' fields to remove some non-address
|
- Changes in 'mailfrom' and 'rcptto' fields to remove some non-address
|
||||||
cruft that will tend to be found. The main example is the change
|
cruft that will tend to be found. The main example is the change
|
||||||
from "<user@domain>" to "user@domain.com".
|
from "<user@domain>" to "user@domain.com".
|
||||||
|
|
||||||
- HTTP
|
- HTTP
|
||||||
|
|
||||||
- Removed 'filename' field.
|
- Removed 'filename' field.
|
||||||
|
|
||||||
- New 'orig_filenames' and 'resp_filenames' fields which each contain
|
- New 'orig_filenames' and 'resp_filenames' fields which each contain
|
||||||
a vector of filenames seen in entities transferred.
|
a vector of filenames seen in entities transferred.
|
||||||
|
|
||||||
New Functionality
|
New Functionality
|
||||||
|
|
@ -165,6 +165,9 @@ Removed Functionality
|
||||||
were also prone to needing more regular updates as the internet
|
were also prone to needing more regular updates as the internet
|
||||||
changed and will likely be more relevant if maintained externally.
|
changed and will likely be more relevant if maintained externally.
|
||||||
|
|
||||||
|
- The event ack_above_hole() has been removed, as it was a subset
|
||||||
|
of content_gap() and led to plenty noise.
|
||||||
|
|
||||||
Deprecated Functionality
|
Deprecated Functionality
|
||||||
------------------------
|
------------------------
|
||||||
|
|
||||||
|
|
|
||||||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
||||||
2.4-679
|
2.4-680
|
||||||
|
|
|
||||||
|
|
@ -536,7 +536,6 @@ void TCP_Reassembler::AckReceived(uint64 seq)
|
||||||
{
|
{
|
||||||
++tot_gap_events;
|
++tot_gap_events;
|
||||||
tot_gap_bytes += num_missing;
|
tot_gap_bytes += num_missing;
|
||||||
tcp_analyzer->Event(ack_above_hole);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -91,7 +91,7 @@ function get_resp_seq%(cid: conn_id%): count
|
||||||
## contents of individual packets. Reordering and duplicates are
|
## contents of individual packets. Reordering and duplicates are
|
||||||
## removed. If any data is missing, the recording stops at the
|
## removed. If any data is missing, the recording stops at the
|
||||||
## missing data; this can happen, e.g., due to an
|
## missing data; this can happen, e.g., due to an
|
||||||
## :bro:id:`ack_above_hole` event.
|
## :bro:id:`content_gap` event.
|
||||||
##
|
##
|
||||||
## .. bro:see:: get_contents_file set_record_packets contents_file_write_failure
|
## .. bro:see:: get_contents_file set_record_packets contents_file_write_failure
|
||||||
function set_contents_file%(cid: conn_id, direction: count, f: file%): bool
|
function set_contents_file%(cid: conn_id, direction: count, f: file%): bool
|
||||||
|
|
|
||||||
|
|
@ -314,29 +314,6 @@ event packet_contents%(c: connection, contents: string%);
|
||||||
## .. bro:see:: tcp_rexmit tcp_contents
|
## .. bro:see:: tcp_rexmit tcp_contents
|
||||||
event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: string%);
|
event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: string%);
|
||||||
|
|
||||||
## Generated when a TCP endpoint acknowledges payload that Bro never saw.
|
|
||||||
##
|
|
||||||
## c: The connection.
|
|
||||||
##
|
|
||||||
## .. bro:see:: content_gap
|
|
||||||
##
|
|
||||||
## .. note::
|
|
||||||
##
|
|
||||||
## Seeing an acknowledgment indicates that the responder of the connection
|
|
||||||
## says it has received the corresponding data. If Bro did not, it must have
|
|
||||||
## either missed one or more packets, or the responder's TCP stack is broken
|
|
||||||
## (which isn't unheard of). In practice, one will always see a few of these
|
|
||||||
## events in any larger volume of network traffic. If there are lots of them,
|
|
||||||
## however, that typically means that there is a problem with the monitoring
|
|
||||||
## infrastructure such as a tap dropping packets, split routing on the path,
|
|
||||||
## or reordering at the tap.
|
|
||||||
##
|
|
||||||
## This event reports similar situations as :bro:id:`content_gap`, though
|
|
||||||
## their specifics differ slightly. Often, however, both will be raised for
|
|
||||||
## the same connection if some of its data is missing. We should eventually
|
|
||||||
## merge the two.
|
|
||||||
event ack_above_hole%(c: connection%);
|
|
||||||
|
|
||||||
## Generated when Bro detects a gap in a reassembled TCP payload stream. This
|
## Generated when Bro detects a gap in a reassembled TCP payload stream. This
|
||||||
## event is raised when Bro, while reassembling a payload stream, determines
|
## event is raised when Bro, while reassembling a payload stream, determines
|
||||||
## that a chunk of payload is missing (e.g., because the responder has already
|
## that a chunk of payload is missing (e.g., because the responder has already
|
||||||
|
|
@ -350,8 +327,6 @@ event ack_above_hole%(c: connection%);
|
||||||
##
|
##
|
||||||
## length: The number of bytes missing.
|
## length: The number of bytes missing.
|
||||||
##
|
##
|
||||||
## .. bro:see:: ack_above_hole
|
|
||||||
##
|
|
||||||
## .. note::
|
## .. note::
|
||||||
##
|
##
|
||||||
## Content gaps tend to occur occasionally for various reasons, including
|
## Content gaps tend to occur occasionally for various reasons, including
|
||||||
|
|
@ -359,11 +334,6 @@ event ack_above_hole%(c: connection%);
|
||||||
## means that there is a problem with the monitoring infrastructure such as
|
## means that there is a problem with the monitoring infrastructure such as
|
||||||
## a tap dropping packets, split routing on the path, or reordering at the
|
## a tap dropping packets, split routing on the path, or reordering at the
|
||||||
## tap.
|
## tap.
|
||||||
##
|
|
||||||
## This event reports similar situations as :bro:id:`ack_above_hole`, though
|
|
||||||
## their specifics differ slightly. Often, however, both will be raised for
|
|
||||||
## a connection if some of its data is missing. We should eventually merge
|
|
||||||
## the two.
|
|
||||||
event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
|
event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
|
||||||
|
|
||||||
## Generated when a protocol analyzer confirms that a connection is indeed
|
## Generated when a protocol analyzer confirms that a connection is indeed
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue