Reorganized the log file reference documentation, improved some of the
descriptions, and corrected a typo in a log filename. Also removed
non-ascii characters that somehow got in the text.
* origin/fastpath:
new ssl extension type from iana and a few other ssl const changes.
adding a function in dnp3-analyzer.pac to translate the time stamp format
Make unexpected pipe errors fatal as precaution.
I added a lenght parameter to the DNP3 time conversion function to not
accidentally run into trouble later if there were ever any other
buffers passed in.
* origin/topic/jsiwek/improve_comm_loop:
Add a simple FD_Set wrapper/helper class.
Fix Pipe copy/assignment to make a copy of flags.
Fix possible abort on writing to a full pipe.
Remove timeouts from remote communication loop.
The intel framework can now indicate which node discovered a
hit on an intel item through the new "node" field in the
Intel::Seen data structure. On clusters, this field will
contain the name of the node where the hit was seen.
Due to the change in f1cef9d2a9, it was possible for the TCP reassembler
to deliver the same data twice because Undelivered did not take in to
account that the reassembly stream could now advance past the end of the
gap.
Addresses BIT-1259.
* origin/topic/jsiwek/jj-bugs:
Fix incorrect data delivery skips after gap in HTTP Content-Range.
Fix file analysis placement of data after gap in HTTP Content-Range.
Fix issue w/ TCP reassembler not delivering some segments.
Raise http_entity_data in line with data arrival.
Implement file ID caching for MIME_Mail.
BIT-1240: Fix MIME entity file data/gap ordering.
BIT-1240 #closed
BIT-1246 #closed
BIT-1247 #closed
BIT-1248 #closed
The logic for determining whether a gap was entirely within a MIME
entity body was not asking the current entity, which may be better able
to answer that question if it was using the Content-Range header and
thus knows if the gap exceeds the length of the body that's still
expected.
Addresses BIT-1247
For example, if we have a connection between TCP "A" and TCP "B" and "A"
sends segments "1" and "2", but we don't see the first and then the next
acknowledgement from "B" is for everything up to, and including, "2",
the gap would be reported to include both segments instead of just the
first and then delivering the second. Put generally: any segments that
weren't yet delivered because they're waiting for an earlier gap to be
filled would be dropped when an ACK comes in that includes the gap as
well as those pending segments. (If a distinct ACK was seen for just
the gap, that situation would have worked).
Addresses BIT-1246.
As opposed to delaying until a certain-sized-buffer fills, which is
problematic because then the event becomes out of sync with the "rest of
the world". E.g. content_gap handlers being called sooner than
expected.
Addresses BIT-1240.
* origin/topic/robin/pktsrc:
Fixing link-layer handling.
Bugfixes and test updates.
Fixing remaining tests.
Adding test for dynamic packet dumper plugin.
Test updates.
Fixing Bro-level BPF filtering.
A set of smaller API tweaks, and polishing.
Adding test creating a dynamic pktsrc plugin.
Interface tweaks for PktSrc, plus docs for PktSrc and PktDumper.
A set of various fixes and smaller API tweaks, plus tests.
Moving some of the BPF filtering code into base class.
Small packet dumper API change.
Moving Pkt{Src,Dumper} a directory level up.
Removing FlowSrc.
Removing netmap, remaining pieces of the 2ndary path, and left-over files of packet sorter.
Prototype of a netmap packet source.
A series of updates and tweaks to the new PktSrc interface.
Fixing rebase relicts.
IOSource reorg.
BIT-1243 #close
MIME entities buffered data and passed it along to protocol analyzers in
discrete amounts, but a gap is always passed along right away, so the
ordering of these "events" can cause incorrect file analysis. The
change here is to never leave any MIME data buffered -- it should now be
passed along line by line as it is seen, but may still temporarily make
use of a buffer allocated by the analyzer as it works on decoding
content.
