[Bro] Help with searching logs

Seth Hall seth at icir.org
Wed Apr 3 18:12:16 PDT 2013

On Apr 3, 2013, at 4:47 PM, "Castle, Shane" <scastle at bouldercounty.org> wrote:

> Looks like resp_bytes is not being properly shown sometimes. Hmm, missed_bytes seems to be large here, too. Sigh - I still don't know what's going on. If missed_bytes is nonzero, the orig and resp bytes can't be trusted. More work and research.

The orig_bytes and resp_bytes fields can still be trusted even with missed_bytes being something greater than zero.  Those two fields are calculated with TCP sequence number counting and so they can cope with packet loss.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list