Since this list is the only forum on Bro
Actually, it's not, there's also bro-devel@lbl.gov, for discussion of new
Bro releases and Bro development issues, though I don't seem to be able
to get folks to use it.
I will shoot my question here
(even not being sure whether its appropriate)
(it strikes me as appropriate here)
I keep seing this alert - ContentGap - in HTTP and SMTP traffic. What does
it actually mean?
One addition to Ruoming's reply: you will also get this running off-line
on trace files that are missing some of the connection packets due to
them being omitted when the trace was originally recorded (for example,
due to calls to set_record_packets()).
On anothet note, there seems to be a minor bug in dropped packet counting.
Here is what I got today:1064520794.493349 DroppedPackets dropped 633 packets out of -692 received
Here Bro is only reporting what libpcap passes along to it. So this likely
reflects a deficiency/inconsistency in how the kernel reports the number
of received packets to libpcap. What OS are you running under?
Vern