[Bro-Dev] [JIRA] (BIT-1254) file analysis framework sometimes returns hashes despite missing packets

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Thu Sep 18 11:22:07 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18105#comment-18105 ] 

Jon Siwek commented on BIT-1254:

If you mean missing content, then the idea was to abort the hashing for the file since it would be incorrect.  If you mean that you know some particular packets are missing (maybe because you manually modified the capture), then it depends on if the missing packets actually created gaps -- do you know if that's true?  Looking quickly in wireshark: it also doesn't seem to report missing bytes in that stream, but does in the other two, so maybe the missing packets were duplicates or control packets?

> file analysis framework sometimes returns hashes despite missing packets
> ------------------------------------------------------------------------
>                 Key: BIT-1254
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1254
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master, 2.3
>         Environment: CentOS 6
>            Reporter: Jimmy Jones
>         Attachments: sample-3streams-hole.pcap
> Putting the attached sample (3 streams, each with missing packets) though the file analysis framework, in files.log I see hashes for one streams but not the other 2. Should I get any hashes if there are missing packets?
> bro -r sample-3streams-hole.pcap frameworks/files/hash-all-files.bro

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list