on some peculiar alarms

Since this list is the only forum on Bro

Actually, it's not, there's also bro-devel@lbl.gov, for discussion of new
Bro releases and Bro development issues, though I don't seem to be able
to get folks to use it.

I will shoot my question here
(even not being sure whether its appropriate) :slight_smile:

(it strikes me as appropriate here)

I keep seing this alert - ContentGap - in HTTP and SMTP traffic. What does
it actually mean?

One addition to Ruoming's reply: you will also get this running off-line
on trace files that are missing some of the connection packets due to
them being omitted when the trace was originally recorded (for example,
due to calls to set_record_packets()).

On anothet note, there seems to be a minor bug in dropped packet counting.
Here is what I got today:

1064520794.493349 DroppedPackets dropped 633 packets out of -692 received

Here Bro is only reporting what libpcap passes along to it. So this likely
reflects a deficiency/inconsistency in how the kernel reports the number
of received packets to libpcap. What OS are you running under?