I come across this log recently, it is from notice.log. I’m wondering what is actually indicated by content gap, checking on mailing list and I found vern talked about it when someone mentioned packets drop. I would like to know what Content Gap means and the rate (> 1/175) or (> 1/1400).
1158285796.903890:ContentGap:NOTICE_ALARM_ALWAYS::18.104.22.168:59537/tcp:22.214.171.124:80/tcp::::::126.96.36.199/59537 > 188.8.131.52/http content gap (> 1/175)::@21
1158285796.976927:ContentGap:NOTICE_ALARM_ALWAYS::184.108.40.206:8286/tcp:220.127.116.11:1983/tcp::::::18.104.22.168/8286 > 22.214.171.124/1983 content gap (> 1/1400)::@22
I'm wondering what
is actually indicated by content gap
A content gap occurs when Bro's TCP stream reassembler frees up memory
allocated to previous TCP segments and some of those segments were never
delivered (i.e., were never in-sequence). It generally indicates the
presence of measurement drops (similar to ack_above_hole), though can
also occur when running on traces that have been filtered.
I would like to
know what Content Gap means and the rate (> 1/175) or (> 1/1400).
It's not a rate but rather a range of sequence numbers, so in the
second case, it ranges for 1400 bytes starting at sequence #1 to.
Thanks for the explanation.