[Bro] content gaps (Re: Notice.log)
CS Lee
geek00l at gmail.com
Fri Dec 15 11:37:54 PST 2006
Vern,
Thanks for the explanation.
On 12/13/06, Vern Paxson <vern at icir.org> wrote:
>
> > I'm wondering what
> > is actually indicated by content gap
>
> A content gap occurs when Bro's TCP stream reassembler frees up memory
> allocated to previous TCP segments and some of those segments were never
> delivered (i.e., were never in-sequence). It generally indicates the
> presence of measurement drops (similar to ack_above_hole), though can
> also occur when running on traces that have been filtered.
>
> > I would like to
> > know what Content Gap means and the rate (> 1/175) or (> 1/1400).
>
> It's not a rate but rather a range of sequence numbers, so in the
> second case, it ranges for 1400 bytes starting at sequence #1 to.
>
> Vern
>
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061216/d6422709/attachment.html
More information about the Bro
mailing list