about

[Ashley Thomas]

  You could also just watch the variable 'drop' returned by pcap_stats( 
) to see if there are drops.
pcap_stats is called by bro in the HeartBeat function, i guess.
This is *assuming* pcap is giving the drops value correctly. I remember, 
there was bug on some OSs.

-ashley

Vern Paxson wrote:

>>However, I am still can't understand why all the status of connection not 
>>from/to my host is "S0", which means "no answer", while my host's 
>>connections were all right.
>>    
>>
>
>That's very strange, unless in your setup Bro is massively dropping packets.
>So the next thing to do is use Bro's "-w tracefile" option to record the
>packets it's analyzing.  Next time you find an S0 FTP session which you're
>sure was successful, extract the corresponding packets from the trace.
>If there are just initial SYNs and nothing else, then Bro was correct, and
>you were mistaken regarding that particular session being successful.
>If on the other hand there's an initial SYN, no SYN-ACK, but a bunch of
>subsequent packets related to the connection, then Bro is dropping packets.
>I can help with this analysis (send me the trace off-line) if needed.
>
>		Vern
>

-- 
Ashley Thomas
Research scientist
College of Computing
Georgia Tech.