The main change is that reassembly code (e.g. for TCP) now uses
int64/uint64 (signedness is situational) data types in place of int
types in order to support delivering data to analyzers that pass 2GB
thresholds. There's also changes in logic that accompany the change in
data types, e.g. to fix TCP sequence space arithmetic inconsistencies.
Another significant change is in the Analyzer API: the *Packet and
*Undelivered methods now use a uint64 in place of an int for the
relative sequence space offset parameter.
If TCP endpoint A and B are synchronized at some point, but A
closes/aborts/crashes and B goes on without knowledge of it and then A
tries to re-synchronize, Bro could end up seeing something like
(sequence numbers made up):
A: SYN 100
B: ACK 500
A: RST 500
The final sequence number of A, in this case, is not useful in the
context of determining the number of data bytes sent by A, so Bro now
reports that as 0 (where before it could often be misleadingly large).
Replaced some with InternalWarning or InternalAnalyzerError, the later
being a new method which signals the analyzer to not process further
input. Some usages I just removed if they didn't make sense or clearly
couldn't happen. Also did some minor refactors of related code while
reviewing/exploring ways to get rid of InternalError usages.
Also, for TCP content file write failures there's a new event:
"contents_file_write_failure".
