[Bro] content gaps (Re: Notice.log)

CS Lee geek00l at gmail.com
Fri Dec 15 11:37:54 PST 2006


Thanks for the explanation.

On 12/13/06, Vern Paxson <vern at icir.org> wrote:
> > I'm wondering what
> > is actually indicated by content gap
> A content gap occurs when Bro's TCP stream reassembler frees up memory
> allocated to previous TCP segments and some of those segments were never
> delivered (i.e., were never in-sequence).  It generally indicates the
> presence of measurement drops (similar to ack_above_hole), though can
> also occur when running on traces that have been filtered.
> > I would like to
> > know what Content Gap means and the rate (> 1/175) or (> 1/1400).
> It's not a rate but rather a range of sequence numbers, so in the
> second case, it ranges for 1400 bytes starting at sequence #1 to.
>                 Vern

Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061216/d6422709/attachment.html 

More information about the Bro mailing list