[Bro] ContentGap problem in offline traces

Thomas, Eric D. edthoma at sandia.gov
Tue Mar 20 16:46:35 PDT 2007


Hi,

I have an HTTP trace where I downloaded a 20 meg executable (no encoding).
The trace was created by tcpdump, not bro. It was suggested in the archives
that if one gets a lot of ContentGap errors when processing a trace off-line
it is likely because there are missing packets in the trace. I'm sure my
trace has all of the packets because if I run tcpflow on the trace and
remove all of the HTTP headers from the larger of the two resulting files, I
get a file that is the same size as the executable I downloaded.

When I process the trace offline with bro (I have a custom policy that
writes the HTTP data out using the http_entity_data event) I get a lot of
ContentGap errors. The size of the written file is smaller than the size of
the executable. When I add up all of the missing bytes reported by the many
ContentGap notices, the sum is exactly the difference between the size (in
bytes) of the executable and the size of the written file. Therefore, I
assume that Bro is not passing the "missing" data to the http_entity_data
handler.

When all of the packets are in the trace and my filter (according to
print-filter) is "tcp or icmp or udp", what else is a common cause of the
ContentGap notice? Is there some tweak that I need to make to account for
larger gaps/windows?

Eric Thomas
edthoma [you know what to do] sandia.gov





More information about the Bro mailing list