[Bro] Extract files not authentic copy of file
seth at corelight.com
Fri Feb 23 16:38:38 PST 2018
On 22 Feb 2018, at 21:32, Ambros Novak wrote:
> Im unsure any packets are being dropped. How would I check if packets
> are being dropped?
One heuristic you can use is the capture_loss.log. It will give an
estimated percentage of dropped packets based on TCP analysis.
> Would dropped packets also have duplicated streams? I’m seeing the
> same text repeated anywhere from 2-4 times in extracted files.
That seems unlikely to me. The way that the file extraction analyzer
and the files framework works should prevent this sort of behavior.
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro