[Bro] possible bug with smtp analyzer/trans_depth issue

erik clark philosnef at gmail.com
Wed Oct 12 08:22:53 PDT 2016


Yep, these are all on the same connection, which is why we are interested
in tracking this. :)

On Wed, Oct 12, 2016 at 11:20 AM, Seth Hall <seth at icir.org> wrote:

>
> > On Oct 11, 2016, at 12:40 PM, erik clark <philosnef at gmail.com> wrote:
> >
> > We were researching into an issue where we have multiple smtp messages
> in the same uid (normal), but where every message has the same
> trans_depth... When the pcap is run against bro manually, we get the
> correct number of trans_depth values. Packet loss on the systems is very
> low (below .5%), so I can't exactly chalk it up to traffic issues.
>
> Are these all on the same TCP connection? (the uid field).  You could just
> be seeing the message flow over multiple connections as it's passed around
> from mail server to mail server.  The trans_depth only refers to the depth
> of messages passed between hosts within a single TCP connection since many
> message transfers can be pipelined within a TCP connection.
>
> I agree that this is unlikely to be a side effect of packet loss.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161012/874fb4b2/attachment.html 


More information about the Bro mailing list