[Bro] successful_RPC_reply_to_invalid_request and ContentGap

Ruoming Pang rpang at cs.princeton.edu
Mon Aug 29 11:47:42 PDT 2005


> Hi everyone,
>   I used Bro to read a trace file that was captured from a local 
> network. In
> Bro's log files, the majority of log records are about
> successful_RPC_reply_to_invalid_request and ContentGap. What 
> situations can
> cause these two alerts?

"successful_RPC_reply_to_invalid_request" is a deficiency to be fixed. 
Bro marks RPC requests that it does not understand as "invalid", and it 
gets bewildered when it sees the RPC server understands the requests. 
Please ignore this for now.

"ContentGap" is reported when a TCP segment is not seen but ACK'ed. 
There can be two cases: (1) most likely, some packets are not captured 
in the trace file; (2) packets are captured on two interfaces and 
occasionally get out of order such that some ACKs appear before the 
corresponding segments. There's little Bro can do with (1), but for (2), 
Bro can reorder the packets in a small window by TCP sequence number 
instead of timestamps (redef packet_sort_window = 1 sec).

I hope it helps.

Ruoming





More information about the Bro mailing list