[Bro] possible bug with smtp analyzer/trans_depth issue
Seth Hall
seth at icir.org
Wed Oct 12 08:20:38 PDT 2016
> On Oct 11, 2016, at 12:40 PM, erik clark <philosnef at gmail.com> wrote:
>
> We were researching into an issue where we have multiple smtp messages in the same uid (normal), but where every message has the same trans_depth... When the pcap is run against bro manually, we get the correct number of trans_depth values. Packet loss on the systems is very low (below .5%), so I can't exactly chalk it up to traffic issues.
Are these all on the same TCP connection? (the uid field). You could just be seeing the message flow over multiple connections as it's passed around from mail server to mail server. The trans_depth only refers to the depth of messages passed between hosts within a single TCP connection since many message transfers can be pipelined within a TCP connection.
I agree that this is unlikely to be a side effect of packet loss.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list