[Bro] Help with searching logs
Seth Hall
seth at icir.org
Wed Apr 3 18:12:16 PDT 2013
On Apr 3, 2013, at 4:47 PM, "Castle, Shane" <scastle at bouldercounty.org> wrote:
> Looks like resp_bytes is not being properly shown sometimes. Hmm, missed_bytes seems to be large here, too. Sigh - I still don't know what's going on. If missed_bytes is nonzero, the orig and resp bytes can't be trusted. More work and research.
�
The orig_bytes and resp_bytes fields can still be trusted even with missed_bytes being something greater than zero. Those two fields are calculated with TCP sequence number counting and so they can cope with packet loss.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list