[Bro] Content gap breaks application layer analysis

duhang darkheaven1983 at gmail.com
Mon Feb 6 01:13:38 PST 2017


I'm using Bro which listens to the nic card connects to a mirror port from
a switch to dump http request/response and smtp email for further analysis.
The packets that received from the mirror port are massively
disordered(Unseen ACKed in wireshark). I saw a lot of content gap events
which skips the following packets received. A lot of uncompleted http/smtp
logs exist which relatively means high packet loss rate from appliance
layer's perspective. Is there any workaround/solution to have
bi-directional reassembly in this case?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170206/a0b6040b/attachment-0001.html 

More information about the Bro mailing list