[
https://bro-tracker.atlassian.net/browse/BIT-1254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18105#comment-18105
]
Jon Siwek commented on BIT-1254:
--------------------------------
If you mean missing content, then the idea was to abort the hashing for the
file since it would be incorrect. If you mean that you know some particular
packets are missing (maybe because you manually modified the capture), then it
depends on if the missing packets actually created gaps -- do you know if
that's true? Looking quickly in wireshark: it also doesn't seem to report
missing bytes in that stream, but does in the other two, so maybe the missing
packets were duplicates or control packets?
> file analysis framework sometimes returns hashes despite missing packets
> ------------------------------------------------------------------------
>
> Key: BIT-1254
> URL: https://bro-tracker.atlassian.net/browse/BIT-1254
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master, 2.3
> Environment: CentOS 6
> Reporter: Jimmy Jones
> Attachments: sample-3streams-hole.pcap
>
>
> Putting the attached sample (3 streams, each with missing packets) though the
> file analysis framework, in files.log I see hashes for one streams but not
> the other 2. Should I get any hashes if there are missing packets?
> bro -r sample-3streams-hole.pcap frameworks/files/hash-all-files.bro
--
This message was sent by Atlassian JIRA
(v6.4-OD-05-008#64003)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
