zeek/testing/btest/Baseline/core.tcp.missing-syn at 39734255be72d52da2242cb1891d12970af59fbf - Mirror/zeek

mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00

History

Robin Sommer 39734255be Change TCP analysis to process connections without the initial SYN as non-partial connections. Before, if we saw a responder-side SYN/ACK, but had not seen the initial orginator-side SYN, Bro would treat the connection as partial, meaning that most application-layer analyzers would refuse to inspect the payload. That was unfortunate because all payload data was actually there (and even passed to the analyzers). This change make Bro consider these connections as complete, so that analyzers will just normally process them. The leads to couple more connections in the test-suite to now being analyzed. Addresses #1492. (I used an HTTP trace for debugging instead of the HTTPS trace from the ticket, as the clear-text makes it easier to track the data flow).	2016-07-11 17:18:32 -07:00
..
conn.log	Change TCP analysis to process connections without the initial SYN as	2016-07-11 17:18:32 -07:00

Robin Sommer 39734255be Change TCP analysis to process connections without the initial SYN as

non-partial connections.

Before, if we saw a responder-side SYN/ACK, but had not seen the
initial orginator-side SYN, Bro would treat the connection as partial,
meaning that most application-layer analyzers would refuse to inspect
the payload. That was unfortunate because all payload data was
actually there (and even passed to the analyzers). This change make
Bro consider these connections as complete, so that analyzers will
just normally process them.

The leads to couple more connections in the test-suite to now being
analyzed.

Addresses #1492. (I used an HTTP trace for debugging instead of the
HTTPS trace from the ticket, as the clear-text makes it easier to
track the data flow).

2016-07-11 17:18:32 -07:00

conn.log

Change TCP analysis to process connections without the initial SYN as

2016-07-11 17:18:32 -07:00