I come across this log recently, it is from notice.log. I’m wondering what is actually indicated by content gap, checking on mailing list and I found vern talked about it when someone mentioned packets drop. I would like to know what Content Gap means and the rate (> 1/175) or (> 1/1400).
1158285796.903890:ContentGap:NOTICE_ALARM_ALWAYS::1.2.3.4:59537/tcp:2.3.4.5:80/tcp::::::1.2.3.4/59537 > 2.3.4.5/http content gap (> 1/175)::@21
1158285796.976927:ContentGap:NOTICE_ALARM_ALWAYS::1.2.3.4:8286/tcp:3.4.5.6:1983/tcp::::::1.2.3.4/8286 > 3.4.5.6/1983 content gap (> 1/1400)::@22
I'm wondering what
is actually indicated by content gap
A content gap occurs when Bro's TCP stream reassembler frees up memory
allocated to previous TCP segments and some of those segments were never
delivered (i.e., were never in-sequence). It generally indicates the
presence of measurement drops (similar to ack_above_hole), though can
also occur when running on traces that have been filtered.
I would like to
know what Content Gap means and the rate (> 1/175) or (> 1/1400).
It's not a rate but rather a range of sequence numbers, so in the
second case, it ranges for 1400 bytes starting at sequence #1 to.