[Bro] possible bug with smtp analyzer/trans_depth issue
philosnef at gmail.com
Wed Oct 12 08:22:53 PDT 2016
Yep, these are all on the same connection, which is why we are interested
in tracking this. :)
On Wed, Oct 12, 2016 at 11:20 AM, Seth Hall <seth at icir.org> wrote:
> > On Oct 11, 2016, at 12:40 PM, erik clark <philosnef at gmail.com> wrote:
> > We were researching into an issue where we have multiple smtp messages
> in the same uid (normal), but where every message has the same
> trans_depth... When the pcap is run against bro manually, we get the
> correct number of trans_depth values. Packet loss on the systems is very
> low (below .5%), so I can't exactly chalk it up to traffic issues.
> Are these all on the same TCP connection? (the uid field). You could just
> be seeing the message flow over multiple connections as it's passed around
> from mail server to mail server. The trans_depth only refers to the depth
> of messages passed between hosts within a single TCP connection since many
> message transfers can be pipelined within a TCP connection.
> I agree that this is unlikely to be a side effect of packet loss.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro