[Bro] Content gap breaks application layer analysis

Johanna Amann johanna at icir.org
Tue Feb 14 13:17:19 PST 2017


Hi,

Bro does not deal well with disordered packets. There currently is no
workaround for that.

Johanna

On Mon, Feb 06, 2017 at 05:13:38PM +0800, duhang wrote:
> Hi,
> 
> I'm using Bro which listens to the nic card connects to a mirror port from
> a switch to dump http request/response and smtp email for further analysis.
> The packets that received from the mirror port are massively
> disordered(Unseen ACKed in wireshark). I saw a lot of content gap events
> which skips the following packets received. A lot of uncompleted http/smtp
> logs exist which relatively means high packet loss rate from appliance
> layer's perspective. Is there any workaround/solution to have
> bi-directional reassembly in this case?

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list