Content gap breaks application layer analysis

Hi,

I’m using Bro which listens to the nic card connects to a mirror port from a switch to dump http request/response and smtp email for further analysis. The packets that received from the mirror port are massively disordered(Unseen ACKed in wireshark). I saw a lot of content gap events which skips the following packets received. A lot of uncompleted http/smtp logs exist which relatively means high packet loss rate from appliance layer’s perspective. Is there any workaround/solution to have bi-directional reassembly in this case?

Hi,

Bro does not deal well with disordered packets. There currently is no
workaround for that.

Johanna