on some peculiar alarms

Vern Paxson vern at icir.org
Mon Sep 29 22:44:09 PDT 2003

> Since this list is the only forum on Bro

Actually, it's not, there's also bro-devel at lbl.gov, for discussion of new
Bro releases and Bro development issues, though I don't seem to be able
to get folks to use it.

> I will shoot my question here
> (even not being sure whether its appropriate) :-)

(it strikes me as appropriate here)

> I keep seing this alert - ContentGap - in HTTP and SMTP traffic. What does
> it actually mean?

One addition to Ruoming's reply: you will also get this running off-line
on trace files that are missing some of the connection packets due to
them being omitted when the trace was originally recorded (for example,
due to calls to set_record_packets()).

> On anothet note, there seems to be a minor bug in dropped packet counting.
> Here is what I got today:
> 1064520794.493349 DroppedPackets dropped 633 packets out of -692 received

Here Bro is only reporting what libpcap passes along to it.  So this likely
reflects a deficiency/inconsistency in how the kernel reports the number
of received packets to libpcap.  What OS are you running under?


