[
https://bro-tracker.atlassian.net/browse/BIT-1254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18107#comment-18107
]
Jimmy Jones commented on BIT-1254:
----------------------------------
Sorry, my bad, there aren't any missing packets in tcp.stream == 1 / tcp.port
== 48049. It looks to me as if the stream is cut off (without RST or FIN), but
has no missing packets up until that point. However there are not as many bytes
as the Content-Length indicates, so it is definitly truncated. Should I get a
hash if this happens?
Sadly I didn't remove the packets, my tcpdump wasn't set up with a large enough
buffer when I was trying to do something else and noticed this!
> file analysis framework sometimes returns hashes despite missing packets
> ------------------------------------------------------------------------
>
> Key: BIT-1254
> URL: https://bro-tracker.atlassian.net/browse/BIT-1254
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master, 2.3
> Environment: CentOS 6
> Reporter: Jimmy Jones
> Attachments: sample-3streams-hole.pcap
>
>
> Putting the attached sample (3 streams, each with missing packets) though the
> file analysis framework, in files.log I see hashes for one streams but not
> the other 2. Should I get any hashes if there are missing packets?
> bro -r sample-3streams-hole.pcap frameworks/files/hash-all-files.bro
--
This message was sent by Atlassian JIRA
(v6.4-OD-05-008#64003)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
