on some peculiar alarms
vern at icir.org
Mon Sep 29 22:44:09 PDT 2003
> Since this list is the only forum on Bro
Actually, it's not, there's also bro-devel at lbl.gov, for discussion of new
Bro releases and Bro development issues, though I don't seem to be able
to get folks to use it.
> I will shoot my question here
> (even not being sure whether its appropriate) :-)
(it strikes me as appropriate here)
> I keep seing this alert - ContentGap - in HTTP and SMTP traffic. What does
> it actually mean?
One addition to Ruoming's reply: you will also get this running off-line
on trace files that are missing some of the connection packets due to
them being omitted when the trace was originally recorded (for example,
due to calls to set_record_packets()).
> On anothet note, there seems to be a minor bug in dropped packet counting.
> Here is what I got today:
> 1064520794.493349 DroppedPackets dropped 633 packets out of -692 received
Here Bro is only reporting what libpcap passes along to it. So this likely
reflects a deficiency/inconsistency in how the kernel reports the number
of received packets to libpcap. What OS are you running under?
More information about the Bro