Merge remote-tracking branch 'origin/topic/vern/content-gap-history'

* origin/topic/vern/content-gap-history: Refined state machine update placement to (1) properly deal with gaps capped by clean FIN handshakes, and (1) fix failure to detect split routing. added 'g' $history character for content gaps
2025-10-09 10:08:20 +00:00 · 2019-04-22 12:38:06 -07:00 · 2019-04-22 12:38:06 -07:00 · d5803d7047
commit d5803d7047
parent f15c99c82e 9c8ad11d92
21 changed files with 103 additions and 45 deletions
--- a/scripts/base/protocols/conn/main.zeek
+++ b/scripts/base/protocols/conn/main.zeek
@ -107,6 +107,7 @@ export {
 		## f       packet with FIN bit set
 		## r       packet with RST bit set
 		## c       packet with a bad checksum (applies to UDP too)
+		## g       a content gap
 		## t       packet with retransmitted payload
 		## w       packet with a zero window advertisement
 		## i       inconsistent packet (e.g. FIN+RST bits set)
@ -122,7 +123,7 @@ export {
 		## 's' can be recorded multiple times for either direction
 		## if the associated sequence number differs from the
 		## last-seen packet of the same flag type.
-		## 'c', 't' and 'w' are recorded in a logarithmic fashion:
+		## 'c', 'g', 't' and 'w' are recorded in a logarithmic fashion:
 		## the second instance represents that the event was seen
 		## (at least) 10 times; the third instance, 100 times; etc.
 		history:      string          &log &optional;