on some peculiar alarms

Anton_Chuvakin_Ph.D · September 25, 2003, 10:22pm

All,

Since this list is the only forum on Bro, I will shoot my question here
(even not being sure whether its appropriate)

I keep seing this alert - ContentGap - in HTTP and SMTP traffic. What does
it actually mean? I suspect reading the *.cc files is the only way to
really know it, but maybe somebody can explain it?

On anothet note, there seems to be a minor bug in dropped packet counting.
Here is what I got today:

1064520794.493349 DroppedPackets dropped 633 packets out of -692 received

Best,

Ruoming_Pang · September 26, 2003, 12:15am

A content gap means some packets are not captured by PCAP and thus some
bytes are missing from the reassembled TCP flow. (The basic way to detect
a content gap is when some bytes are not seen being sent but acknowledged
by the received.) Event content_gap is invoked.

If packet drops are not a concern for you, you can comment out the
content_gap event in weird.bro.

-Ruoming

Topic		Replies	Views
on some peculiar alarms Zeek	1	65	May 6, 2022
Notice.log Zeek	3	85	May 6, 2022
missed bytes without gaps Zeek	3	189	May 6, 2022
Problem: Bro listening on two ethernet interfaces Zeek	2	100	May 6, 2022
[Bro-Commits] [git/bro] topic/jsiwek/bit-1246: Fix issue w/ TCP reassembler not delivering some segments. (f1cef9d) Development development	3	73	May 6, 2022

on some peculiar alarms

Related Topics