mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 08:38:20 +00:00
b0f96fa22c
From Vern in GH-846: This is a conscious decision in the TCP analysis to consider a connection's "duration" to run up through the end of its productive (= data can be delivered) lifetime, not extending beyond that. So once it's closed, packets seen subsequently (until the state-holding for the connection times out) get processed in terms of updating the associated history, but not the duration. This can include (unnecessarily) retransmitted data packets, like in one of the examples above. An advantage of this definition of "duration" is it allows more accurate computation of connection data rates. |
||
|---|---|---|
| .. | ||
| base | ||
| policy | ||
| site | ||
| zeekygen | ||
| CMakeLists.txt | ||
| test-all-policy.zeek | ||