[Bro] Help with searching logs
seth at icir.org
Wed Apr 3 18:12:16 PDT 2013
On Apr 3, 2013, at 4:47 PM, "Castle, Shane" <scastle at bouldercounty.org> wrote:
> Looks like resp_bytes is not being properly shown sometimes. Hmm, missed_bytes seems to be large here, too. Sigh - I still don't know what's going on. If missed_bytes is nonzero, the orig and resp bytes can't be trusted. More work and research.
The orig_bytes and resp_bytes fields can still be trusted even with missed_bytes being something greater than zero. Those two fields are calculated with TCP sequence number counting and so they can cope with packet loss.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro