on some peculiar alarms
rpang at CS.Princeton.EDU
Thu Sep 25 17:15:34 PDT 2003
A content gap means some packets are not captured by PCAP and thus some
bytes are missing from the reassembled TCP flow. (The basic way to detect
a content gap is when some bytes are not seen being sent but acknowledged
by the received.) Event content_gap is invoked.
If packet drops are not a concern for you, you can comment out the
content_gap event in weird.bro.
On Thu, 25 Sep 2003, Anton Chuvakin, Ph.D. wrote:
> Since this list is the only forum on Bro, I will shoot my question here
> (even not being sure whether its appropriate) :-)
> I keep seing this alert - ContentGap - in HTTP and SMTP traffic. What does
> it actually mean? I suspect reading the *.cc files is the only way to
> really know it, but maybe somebody can explain it?
> On anothet note, there seems to be a minor bug in dropped packet counting.
> Here is what I got today:
> 1064520794.493349 DroppedPackets dropped 633 packets out of -692 received
> Anton Chuvakin, Ph.D., GCIA, GCIH - http://www.info-secure.org
> Senior Security Analyst
> Product Management Group
> netForensics - http://www.netForensics.com
More information about the Bro