on some peculiar alarms


Since this list is the only forum on Bro, I will shoot my question here
(even not being sure whether its appropriate) :slight_smile:

I keep seing this alert - ContentGap - in HTTP and SMTP traffic. What does
it actually mean? I suspect reading the *.cc files is the only way to
really know it, but maybe somebody can explain it?

On anothet note, there seems to be a minor bug in dropped packet counting.
Here is what I got today:

1064520794.493349 DroppedPackets dropped 633 packets out of -692 received


A content gap means some packets are not captured by PCAP and thus some
bytes are missing from the reassembled TCP flow. (The basic way to detect
a content gap is when some bytes are not seen being sent but acknowledged
by the received.) Event content_gap is invoked.

If packet drops are not a concern for you, you can comment out the
content_gap event in weird.bro.