Hi everyone,
The analyzers, from what I can see, all have pretty much the same handling for isPartial() and hasGap in DeliverStream().
I was wondering if anyone could explain or give some history behind why that became the default and what the issues were before, or point to some documentation.
Thank you
ottO
It mostly became that way due to copying code from older analyzers as new ones were written, but there are some reasons why it still makes sense. Most of the protocol analyzers today can't resync if they miss any data and they have the related issue that they can't synchronize to the stream correctly if they didn't see the beginning. As analyzers begin to acquire the ability to sychronize to streams, many of these conditionals that stop analysis will begin to disappear because there won't be a point anymore where irregularities like packet loss need to lead to stopping analysis.
We've been thinking about this for a long time and there are some analyzers (the SMB analyzer being the biggest example) that deals just fine with stream resychronization if you'd like to see something that doesn't have the same handling. We're hoping to have a broader and easier approach at this problem eventually, just nothing ready yet.
.Seth