[Bro] Content gap breaks application layer analysis
darkheaven1983 at gmail.com
Mon Feb 6 01:13:38 PST 2017
I'm using Bro which listens to the nic card connects to a mirror port from
a switch to dump http request/response and smtp email for further analysis.
The packets that received from the mirror port are massively
disordered(Unseen ACKed in wireshark). I saw a lot of content gap events
which skips the following packets received. A lot of uncompleted http/smtp
logs exist which relatively means high packet loss rate from appliance
layer's perspective. Is there any workaround/solution to have
bi-directional reassembly in this case?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro