I have been noticing that sometimes the daily report Byte Transfer Pair
information in the Local bytes and Remote Bytes values can be off by a
very large factor from the actual traffic size.
Is this caused by the traffic estimation algorithm, and what factors could
contribute to that larger size? The transfers in question were some HTTP
traffic that didn't get to be above 100 K in size, and Bro reported it as
being 1815 M.
This is using the current Bro 1.x branch code.
Thanks for any input you folks can provide.
Randy