[Bro] lack of seen_bytes

Stephen Reese rsreese at gmail.com
Thu Sep 28 10:57:16 PDT 2017

I have been experiencing hash misses so to speak with PE files due to
lack of seen_bytes verse total_bytes. Is this indication of a
performance problem which the sensor is overwhelmed therefore cannot
parse the entire file?

e.g. I have a file that's 300832 in which seen_bytes consistently
matches total_bytes and then a hash is provided. Another file is
774200 total_bytes but the seen_bytes usually does not amount to the
total_bytes (sometimes it does).

More information about the Bro mailing list