We were researching into an issue where we have multiple smtp messages in the same uid (normal), but where every message has the same trans_depth… When the pcap is run against bro manually, we get the correct number of trans_depth values. Packet loss on the systems is very low (below .5%), so I can’t exactly chalk it up to traffic issues.
Anyone have any experience with this, or might have some insight as to why trans_depth isn’t being incremented in these messages?
Are these all on the same TCP connection? (the uid field). You could just be seeing the message flow over multiple connections as it's passed around from mail server to mail server. The trans_depth only refers to the depth of messages passed between hosts within a single TCP connection since many message transfers can be pipelined within a TCP connection.
I agree that this is unlikely to be a side effect of packet loss.
Yep, these are all on the same connection, which is why we are interested in tracking this.