If I'm reading this right, this seems like an undesirable outcome. If Bro starts and a connection is in the middle, does this mean we wouldn't see any content gaps for that connection?
.Seth
Yes, I think that may be the case, but just for the content_gap event, not for telling analyzers there’s a gap in the stream. It’s adjustable by redef'ing BifConst::report_gaps_for_partial. It’s also not new behavior, that comment was attached to some already-existing code that I factored out in to a separate function so I could easily re-use it. Not giving judgement on what behavior should be the default, but changing it shouldn’t be done as part of what I was trying to fix in this commit.
- Jon
Ah! I remember this now. Thanks for explaining.
.Seth