[Bro] possible bug with smtp analyzer/trans_depth issue

erik clark philosnef at gmail.com
Tue Oct 11 09:40:58 PDT 2016

We were researching into an issue where we have multiple smtp messages in
the same uid (normal), but where every message has the same trans_depth...
When the pcap is run against bro manually, we get the correct number of
trans_depth values. Packet loss on the systems is very low (below .5%), so
I can't exactly chalk it up to traffic issues.

Anyone have any experience with this, or might have some insight as to why
trans_depth isn't being incremented in these messages?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161011/679b7d01/attachment.html 

More information about the Bro mailing list