[Bro] content gaps (Re: Notice.log)
geek00l at gmail.com
Fri Dec 15 11:37:54 PST 2006
Thanks for the explanation.
On 12/13/06, Vern Paxson <vern at icir.org> wrote:
> > I'm wondering what
> > is actually indicated by content gap
> A content gap occurs when Bro's TCP stream reassembler frees up memory
> allocated to previous TCP segments and some of those segments were never
> delivered (i.e., were never in-sequence). It generally indicates the
> presence of measurement drops (similar to ack_above_hole), though can
> also occur when running on traces that have been filtered.
> > I would like to
> > know what Content Gap means and the rate (> 1/175) or (> 1/1400).
> It's not a rate but rather a range of sequence numbers, so in the
> second case, it ranges for 1400 bytes starting at sequence #1 to.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro