Bug #2093

Handle TCP stream gaps.

Added by Jason Ish about 1 year ago. Updated 11 months ago.

Target version:
Affected Versions:


Currently if a TCP session has a gap, app-layer parsing is aborted. For some protocols, resyncing may be impossible and this is the best we can do, for others, we can attempt to resync and carry on. This is easier for protocols with well defined message boundaries that can be probed for.

Basic idea would be to flag the gap. Check if app-layer is configured to support gaps, if so, send the latest data down with a gap flag. Let the application decide. If it sees the data as OK, carry on. If it needs to abort parsing, it can simply return an error code (-1) then the app-layer will abort.

For some, the app-layer may not be able to continue parsing right away, but they may choose not to return error in hopes that it may sync up on the next segment. This is very likely for record based protocols.

Note: Work in progress. But didn't see a ticket for it.


#1 Updated by Jason Ish 11 months ago

  • Status changed from Assigned to Closed
  • Target version changed from Soon to 4.0beta1

Last PR:
Merged with:

Includes modifications to the DNS for handling gaps by reprobing after a gap.

Also available in: Atom PDF