Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 22:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Improve gap reporting in TCP connections that never see data.

Browse source 
The previous behavior was to accomodate SYN/FIN/RST-filtered traces by
not reporting missing data (via the content_gap event) for such
connections.  The new behavior always reports gaps for connections that
are established and terminate normally, but sequence numbers indicate
that all data packets of the connection were missed.  The behavior can
be reverted by redef'ing "detect_filtered_trace".
This commit is contained in:
Jon Siwek 2014-01-24 16:21:02 -06:00
parent 5b3573394e
commit 9b12967d40
7 changed files with 29 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/analyzer/protocol/tcp/TCP_Reassembler.cc
View file

@ -178,7 +178,7 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
// to this method and only if this condition is not true).
reporter->InternalError("Calling Undelivered for data that has already been delivered (or has already been marked as undelivered");
if ( last_reassem_seq == 1 &&
if ( BifConst::detect_filtered_trace && last_reassem_seq == 1 &&
(endpoint->FIN_cnt > 0 || endpoint->RST_cnt > 0 ||
peer->FIN_cnt > 0 || peer->RST_cnt > 0) )
{