stream: update GAP detection

Change GAP detection logic. If we encounter missing data before
last_ack, we know we have missed data. The receiving host has ack'd
it already, so a retransmission of the missing data is highly
unlikely.

src/stream-tcp-reassemble.c

@@ -2999,22 +2999,6 @@ int StreamTcpReassembleAppLayer (ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
                 data_len = 0;
             }
 
-            /* in midstream the window is unreliable as we don't know if
-             * window scaling is used. Therefore we assume max wscale and
-             * the window likely much larger than it should be. In our
-             * gap calc we cap it at 25k */
-            uint32_t window = stream->window;
-            if (ssn->flags & STREAMTCP_FLAG_MIDSTREAM) {
-                window = stream->window > 25000 ? 25000 : stream->window;
-                SCLogDebug("midstream: window for gap determination %u (%u)",
-                        window, stream->window);
-            }
-
-            /* don't conclude it's a gap straight away. If ra_base_seq is lower
-             * than last_ack - the window, we consider it a gap. */
-            if (SEQ_GT((stream->last_ack - window), ra_base_seq) ||
-                ssn->state > TCP_ESTABLISHED)
-            {
             /* see what the length of the gap is, gap length is seg->seq -
              * (ra_base_seq +1) */
 #ifdef DEBUG
@@ -3034,7 +3018,6 @@ int StreamTcpReassembleAppLayer (ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
             AppLayerHandleTCPData(tv, ra_ctx, p, p->flow, ssn, stream,
                     NULL, 0, flags|STREAM_GAP);
             AppLayerProfilingStore(ra_ctx->app_tctx, p);
-                data_len = 0;
 
             /* set a GAP flag and make sure not bothering this stream anymore */
             SCLogDebug("STREAMTCP_STREAM_FLAG_GAP set");
@@ -3046,14 +3029,6 @@ int StreamTcpReassembleAppLayer (ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
             dbg_app_layer_gap++;
 #endif
             break;
-            } else {
-                SCLogDebug("possible GAP, but waiting to see if out of order "
-                        "packets might solve that");
-#ifdef DEBUG
-                dbg_app_layer_gap_candidate++;
-#endif
-                break;
-            }
         }
 
         int partial = FALSE;
@@ -3369,22 +3344,6 @@ static int StreamTcpReassembleRaw (TcpReassemblyThreadCtx *ra_ctx,
                 smsg = NULL;
             }
 
-            /* in midstream the window is unreliable as we don't know if
-             * window scaling is used. Therefore we assume max wscale and
-             * the window likely much larger than it should be. In our
-             * gap calc we cap it at 25k */
-            uint32_t window = stream->window;
-            if (ssn->flags & STREAMTCP_FLAG_MIDSTREAM) {
-                window = stream->window > 25000 ? 25000 : stream->window;
-                SCLogDebug("midstream: window for gap determination %u (%u)",
-                        window, stream->window);
-            }
-
-            /* don't conclude it's a gap straight away. If ra_base_seq is lower
-             * than last_ack - the window, we consider it a gap. */
-            if (SEQ_GT((stream->last_ack - window), ra_base_seq) ||
-                ssn->state > TCP_ESTABLISHED)
-            {
             /* see what the length of the gap is, gap length is seg->seq -
              * (ra_base_seq +1) */
 #ifdef DEBUG
@@ -3400,11 +3359,6 @@ static int StreamTcpReassembleRaw (TcpReassemblyThreadCtx *ra_ctx,
              * packet any longer, even if it is retransmitted, as end host will
              * drop it anyway */
             ra_base_seq = seg->seq - 1;
-            } else {
-                SCLogDebug("possible GAP, but waiting to see if out of order "
-                        "packets might solve that");
-                break;
-            }
         }
 
         int partial = FALSE;