ContentGap problem in offline traces


I have an HTTP trace where I downloaded a 20 meg executable (no encoding).
The trace was created by tcpdump, not bro. It was suggested in the archives
that if one gets a lot of ContentGap errors when processing a trace off-line
it is likely because there are missing packets in the trace. I'm sure my
trace has all of the packets because if I run tcpflow on the trace and
remove all of the HTTP headers from the larger of the two resulting files, I
get a file that is the same size as the executable I downloaded.

When I process the trace offline with bro (I have a custom policy that
writes the HTTP data out using the http_entity_data event) I get a lot of
ContentGap errors. The size of the written file is smaller than the size of
the executable. When I add up all of the missing bytes reported by the many
ContentGap notices, the sum is exactly the difference between the size (in
bytes) of the executable and the size of the written file. Therefore, I
assume that Bro is not passing the "missing" data to the http_entity_data

When all of the packets are in the trace and my filter (according to
print-filter) is "tcp or icmp or udp", what else is a common cause of the
ContentGap notice? Is there some tweak that I need to make to account for
larger gaps/windows?

Eric Thomas
edthoma [you know what to do]

Any chance you could send us the trace to have a look at?


I'll sync up with you off-line. Thanks!