[Fwd] Re: [Bro-Dev] content_gap vs. ack_above_hole

Description

From: Vern Paxson
Subject: Re: [Bro-Dev] content_gap vs. ack_above_hole

> Can somebody remind me what exactly the difference between these two
> is (and/or why we have both?).

Yeah, my fault . As best as I can tell (from revisiting the code),
content-gap is a superset of ack-above-hole. Content gaps can also occur
in situations where we're not expecting to see ACKs (for example, due to
split routing, or because we're not processing traffic from the receiver).
I think merging the two into a single content_gap event would make sense.

Vern

Environment

None

Activity

Show:
Seth Hall
November 7, 2013, 4:26 PM

This should be really easy to take care of for 2.3.

Seth Hall
June 17, 2016, 5:05 PM

Is the answer here to just remove the ack_above_hole event? I read the code a bit and it appears reasonable to do that since gaps are already being caught by content_gap. Does anyone know of any users of this event? I don't.

Assignee

Robin Sommer

Reporter

Robin Sommer

Labels

External issue ID

688

Components

Fix versions

Affects versions

Priority

Normal
Configure