[Bro] Extract files not authentic copy of file

Seth Hall seth at corelight.com
Fri Feb 23 16:38:38 PST 2018

On 22 Feb 2018, at 21:32, Ambros Novak wrote:

> Im unsure any packets are being dropped. How would I check if packets 
> are being dropped?

One heuristic you can use is the capture_loss.log.  It will give an 
estimated percentage of dropped packets based on TCP analysis.

> Would dropped packets also have duplicated streams? I’m seeing the 
> same text repeated anywhere from 2-4 times in extracted files.

That seems unlikely to me.  The way that the file extraction analyzer 
and the files framework works should prevent this sort of behavior.


Seth Hall * Corelight, Inc * www.corelight.com

More information about the Bro mailing list