mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
6fbebc5e94
In https://github.com/zeek/zeek/pull/2191, we added endpoint flipping for cases where a connection starts with a SYN/ACK followed by ACK or data. The goal was to treat the connection as productive and go ahead and parse it. But the TCP analyzer could continue to consider it partial after flipping, meaning that app layers would bail out. #2426 shows such a case: HTTP gets correctly activated after flipping through content inspection, but it won't process anything because `IsPartial()` returns true. As the is-partial state reflects whether we saw the first packets each in direction, this patch now overrides that state for the originally missing SYN after flipping. We actually had the same problem at a couple of other locations already as well. One of that only happened to work because of the originally inconsistent state flipping that was fixed in the previous commit. The corresponding unit test now broke after that change. This commit updates that logic as well to override the state. This fix is a bit of a hack, but the best solution I could think of without introducing larger changes. Closes #2426.
11 lines
736 B
Text
11 lines
736 B
Text
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path conn
|
|
#open XXXX-XX-XX-XX-XX-XX
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
|
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.228.5 6669 192.150.187.43 80 tcp http 0.141744 136 5007 SF - - 0 ^hADadFf 6 456 7 5371 -
|
|
#close XXXX-XX-XX-XX-XX-XX
|