[Bro-Dev] [JIRA] (BIT-1254) file analysis framework sometimes returns hashes despite missing packets

Jimmy Jones (JIRA) jira at bro-tracker.atlassian.net
Thu Sep 18 12:06:07 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18107#comment-18107 ] 

Jimmy Jones commented on BIT-1254:

Sorry, my bad, there aren't any missing packets in tcp.stream == 1 / tcp.port == 48049. It looks to me as if the stream is cut off (without RST or FIN), but has no missing packets up until that point. However there are not as many bytes as the Content-Length indicates, so it is definitly truncated. Should I get a hash if this happens?

Sadly I didn't remove the packets, my tcpdump wasn't set up with a large enough buffer when I was trying to do something else and noticed this!

> file analysis framework sometimes returns hashes despite missing packets
> ------------------------------------------------------------------------
>                 Key: BIT-1254
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1254
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master, 2.3
>         Environment: CentOS 6
>            Reporter: Jimmy Jones
>         Attachments: sample-3streams-hole.pcap
> Putting the attached sample (3 streams, each with missing packets) though the file analysis framework, in files.log I see hashes for one streams but not the other 2. Should I get any hashes if there are missing packets?
> bro -r sample-3streams-hole.pcap frameworks/files/hash-all-files.bro

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list