<div dir="ltr">Hi Russ,<div><br></div><div>Thanks for your feedback!</div><div><br></div><div>I'm attaching you separately two PCAP files (but if someone else wants to check out these PCAP files, please let me know and I will also share them with them), both of them with just one TCP session inside.</div><div><br></div><div>- 18kfile_not_captured.pcap: it contains TCP ACKed unseen segments and the file is not captured by Snort.</div><div>- 18kfile_captured.pcap: it doesn't contain TCP ACKed unseen segments and the file is captured by Snort.</div><div><br></div><div>One of the tests I've deployed to check this behavior in IPS mode is the next (using just one machine with Snort):</div><div><br></div><div>- Bridge the interface eth2 with eth4.</div><div>- Send the 18kfile_captured.pcap through the eth2 using the program 'tcpreplay'.</div><div>- Use Snort in IPS mode listening from eth4.</div><div>- Result: There were TCP Gaps.</div><div><br></div><div>I replayed the test but by using tcpdump instead of Snort listening from eth4. Where I found is that the packets arrived disordered. The PCAP file has just 36 packets, and some of the first ACKs arrived before its corresponding Datapackets. This is what I think it was causing the TCP Gaps in Snort. But, when I executed tcpreplay with the option -o (which sends a packet every time a push the return key on my keyboard), the packets did not arrive disordered, and this could be this way since Datapackets can be processed completely before an ACK is sent and processed (supposing an ACK requires less time to be processed than a Datapacket).</div><div><br></div><div>Since this seems a common malfunctioning at a lower level, I don't know if maybe Snort should take this into account and try to, after an ACK unseen segment arrives, retain the window and check the 5 or 10 next packets, just in case the corresponding Datapacket is coming later, and if no corresponding Datapacket is comming later, move on the window as Snort is doing currently. I don't think this could lead to flawed reassembly and evasions, but please tell me if I'm wrong.</div><div><br></div><div>Best Regards,</div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><span style="font-size:12.8000001907349px">Pablo Cantos</span><br></div><div><a href="http://redborder.org" target="_blank">redborder.org</a> / <a href="mailto:pcantos@...16842..." target="_blank">pcantos@...16842...</a></div></div></div></div></div></div>
<br><div class="gmail_quote">2015-05-15 15:17 GMT+02:00 Russ <span dir="ltr"><<a href="mailto:rucombs@...589..." target="_blank">rucombs@...846....589...</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Pablo,<br>
    <br>
    That's a great detailed analysis.  The reordering of data segments
    is part of what TCP does but that applies to each side of a flow
    separately.  It is not normal that an ACK, which travels in the
    opposite direction of the data it is acknowledging, is sent before
    the data is received, which is what the capture implies.  Although
    this reordering is actually just an artifact of the capture, an ACK
    advances the window and Snort has to simply note the gap and move
    on.  The alternative, in almost all cases, would lead to flawed
    reassembly and evasions.<br>
    <br>
    You haven't mentioned selective ACK which could possibly be
    confusing Snort.  Can you send a pcap of the misordered capture?  If
    you capture this on a different (maybe higher speed) device, is the
    order correct?<br>
    <br>
    Thanks<br>
    Russ<br>
    <br>
    <div>On 5/15/15 5:25 AM, Pablo Cantos
      Polaino wrote:<br>
    </div>
    <blockquote type="cite">
      
      <div dir="ltr">Hi Hui,
        <div><br>
        </div>
        <div>I'm sorry for the delay, but I wanted to test some
          scenarios before replying you.</div>
        <div><br>
        </div>
        <div>Following your advice, I've disabled some optimizations in
          order to not to get jumbo frames, which actually were present
          in my PCAP file. After disabling the optimization, I was able
          to generate other PCAP files without Jumbo frames.</div>
        <div><br>
        </div>
        <div>This time I got several traffic network captures by using 3
          small files (8.1KB, 18KB and 63KB) and 'wget' and 'tcpdump'
          programs. I've tried to get the captures as much simple as
          possible in order to avoid external "noises", and to do that
          I've got 6 PCAP files for every one of these three files,
          which gives me 18 PCAP files. I've also "cleaned" all these
          PCAP files by removing the rest of the sessions in which the
          file isn't in.</div>
        <div><br>
        </div>
        <div>After that, what I found on my first tests is that in all
          cases every file was not always captured by Snort (IDS mode).
          When a file was not captured, there were always 1 or 2 TCP
          Gaps and no TCP Discards and I could see with Wireshark that
          there were at least one packet marked as "TCP ACKed unseen
          segment" (see filter tcp.analysis.ack_lost_segment in
          Wireshark), which is due to one ACK that arrives before the
          Datapacket acked does. On the other hand, when the file was
          captured, there were neither TCP Gaps nor TCP Discards and I
          could check with Wireshark that there were no packet marked as
          "TCP ACKed unseen segment". Se examples below:</div>
        <div><br>
        </div>
        <div>Regular PCAP file:</div>
        <div><br>
        </div>
        <div>
          <div>pkt 1: server | client | seq_100 | ack_050 | len 100</div>
          <div>pkt 2: server | client | seq_200 | ack_050 | len 100</div>
          <div>pkt 3: server | client | seq_300 | ack_050 | len 100</div>
          <div>pkt 4: server | client | seq_400 | ack_050 | len 100</div>
          <div>pkt 5: client | server | seq_050 | ack_200 | len 000
            <- ack for pkt 1</div>
          <div>pkt 6: client | server | seq_050 | ack_300 | len
            000 <- ack for pkt 2</div>
          <div>pkt 7: client | server | seq_050 | ack_400 | len
            000 <- ack for pkt 3</div>
          <div>pkt 8: client | server | seq_050 | ack_500 | len
            000 <- ack for pkt 4</div>
        </div>
        <div><br>
        </div>
        <div>PCAP file with one TCP ACKed unseen segment:</div>
        <div><br>
        </div>
        <div>
          <div>pkt 1: server | client | seq_100 | ack_050 | len 100</div>
          <div>pkt 2: server | client | seq_200 | ack_050 | len 100</div>
          <div>pkt 3: server | client | seq_300 | ack_050 | len 100</div>
          <div>pkt 4: client | server | seq_050 | ack_200 | len
            000 <- ack for pkt 1<br>
          </div>
          <div>pkt 5: client | server | seq_050 | ack_300 | len
            000 <- ack for pkt 2</div>
          <div>pkt 6: client | server | seq_050 | ack_400 | len
            000 <- ack for pkt 3</div>
          <div>pkt 7: client | server | seq_050 | ack_500 | len
            000 <- ack for pkt 8 (TCP ACKed unseen segment)</div>
        </div>
        <div>
          <div>pkt 8: server | client | seq_400 | ack_050 | len 100</div>
        </div>
        <div><br>
        </div>
        <div>I've reordered some packets In PCAP files that cause TCP
          Gaps in Snort by putting ACKs after their corresponding
          Datapacket (in the example above it would consist in put the
          pkt 8 before pkt 7). This time, Snort didn't see TCP Gaps when
          read these reordered PCAP files and was able to capture the
          file inside.</div>
        <div><br>
        </div>
        <div>This packet disruption is causing Snort to not work
          properly, since it's finding "false" TCP Gaps, and I say
          "false" because actually these Datapackets exists, but their
          corresponding ACKs are arriving before them (just one position
          before is enough to discard the Datapacket).<br>
        </div>
        <div><br>
        </div>
        <div>To understand better how far Snort is able to take into
          account packet disruptions, I've also tried to reorder a
          "consistent" PCAP file, with neither TCP ACKed unseen segments
          nor TCP Gaps or Discard in Snort and whose file inside is
          captured by Snort. Example of "consistent" or regular PCAP
          file:</div>
        <div><br>
        </div>
        <div>
          <div>pkt 1: server | client | seq_100 | ack_050 | len 100</div>
        </div>
        <div>
          <div>pkt 2: server | client | seq_200 | ack_050 | len 100</div>
        </div>
        <div>
          <div>pkt 3: server | client | seq_300 | ack_050 | len 100</div>
        </div>
        <div>
          <div>pkt 4: server | client | seq_400 | ack_050 | len 100</div>
        </div>
        <div>
          <div>pkt 5: client | server | seq_050 | ack_200 | len 000
            <- ack for pkt 1</div>
          <div>pkt 6: client | server | seq_050 | ack_300 | len
            000 <- ack for pkt 2</div>
          <div>pkt 7: client | server | seq_050 | ack_400 | len
            000 <- ack for pkt 3</div>
          <div>pkt 8: client | server | seq_050 | ack_500 | len
            000 <- ack for pkt 4</div>
        </div>
        <div><br>
        </div>
        <div>What I've done with this PCAP file is to alter the position
          of two Datapacket, but without causing TCP ACKed unseen
          segments. See example below in which pkt 2 is moved before pkt
          3:<br>
        </div>
        <div><br>
        </div>
        <div>
          <div>pkt 1: server | client | seq_100 | ack_050 | len 100</div>
          <div>pkt 2: server | client | seq_300 | ack_050 | len 100<br>
          </div>
          <div>pkt 3: server | client | seq_200 | ack_050 | len 100</div>
          <div>pkt 4: server | client | seq_400 | ack_050 | len 100</div>
          <div>
            <div>pkt 5: client | server | seq_050 | ack_200 | len 000
              <- ack for pkt 1</div>
            <div>pkt 6: client | server | seq_050 | ack_300 | len
              000 <- ack for pkt 2</div>
            <div>pkt 7: client | server | seq_050 | ack_400 | len
              000 <- ack for pkt 3</div>
            <div>pkt 8: client | server | seq_050 | ack_500 | len
              000 <- ack for pkt 4</div>
          </div>
        </div>
        <div><br>
        </div>
        <div>In this case, Snort is able to detect this packet
          re-ordering and it does not affect to the final result, since
          there's neither TCP Gaps nor Discards and the file inside the
          TCP session is captured by Snort.</div>
        <div><br>
        </div>
        <div>I've replayed all these tests in IPS mode with the same
          result, by using 'tcpreplay' program and sending these PCAP
          files through a network interface.</div>
        <div><br>
        </div>
        <div>Now, my question is whether there is a way that Snort could
          manage the "false" TCP ACKed unseen segments due to packet
          re-ordering, in the same way it manages the Datapacket
          re-ordering. Since the packet re-ordering seems to be a common
          issue in networks.</div>
        <div><br>
        </div>
        <div>I've reviewed the Stream5 and Frag3 options looking for a
          possible configuration to solve this, but I haven't found
          anything related to this.</div>
        <div><br>
        </div>
        <div class="gmail_extra">If any Snort output, PCAP file or
          whatever were useful to you, please don't hesitate to ask for
          it.</div>
        <div class="gmail_extra"><br>
        </div>
        <div class="gmail_extra">Best Regards and Thank you very much
          for your help,</div>
        <div class="gmail_extra"><br clear="all">
          <div>
            <div>
              <div dir="ltr">
                <div>
                  <div dir="ltr">
                    <div><span style="font-size:12.8000001907349px">Pablo
                        Cantos</span><br>
                    </div>
                    <div><a href="http://redborder.org" target="_blank">redborder.org</a>
                      / <a href="mailto:pcantos@...16842..." target="_blank">pcantos@...16842...</a></div>
                  </div>
                </div>
              </div>
            </div>
          </div>
          <br>
          <div class="gmail_quote">2015-05-09 2:51 GMT+02:00 Hui Cao
            (huica) <span dir="ltr"><<a href="mailto:huica@...589..." target="_blank">huica@...589...</a>></span>:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
              <div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
                <div>Hi Pablo,</div>
                <div><br>
                </div>
                <div>I am pretty sure that the Jumbo frame is the issue
                  for PCAP. They are even bigger than 60000, which is
                  not normal. </div>
                <div><br>
                </div>
                <div>For the interface one, there are lots of discards.
                  Not all traffic are processed by snort, therefore
                  there are lots gaps in the TCP stream. You can try
                  inline mode, instead of passive. Either there is some
                  configuration issue for interface, or the speed of
                  passive interface might be too high to be processed by
                  your CPU.</div>
                <div><br>
                </div>
                <div>Best,</div>
                <div>Hui.</div>
                <div><br>
                </div>
                <span>
                  <div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;border-width:1pt medium medium;border-style:solid none none;padding:3pt 0in 0in;border-top-color:rgb(181,196,223)"><span>
                      <span style="font-weight:bold">From: </span>Pablo
                      Cantos Polaino <<a href="mailto:pcantos@...17163......" target="_blank">pcantos@...16842...</a>><br>
                    </span><span style="font-weight:bold">Date: </span>Friday,
                    May 8, 2015 at 5:59 PM
                    <div>
                      <div><br>
                        <span style="font-weight:bold">To: </span>Hui
                        Cao <<a href="mailto:huica@...589..." target="_blank">huica@...589...</a>><br>
                        <span style="font-weight:bold">Cc: </span>"<a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@lists.sourceforge.net</a>"
                        <<a href="mailto:snort-users@...5870....net" target="_blank">snort-users@lists.sourceforge.net</a>><br>
                        <span style="font-weight:bold">Subject: </span>Re:
                        [Snort-users] File preprocessor fails to capture
                        files<br>
                      </div>
                    </div>
                  </div>
                  <div>
                    <div>
                      <div><br>
                      </div>
                      <div>
                        <div>
                          <div dir="ltr">
                            <div>Hi Hui,</div>
                            <div><br>
                            </div>
                            <div>I've replaced config paf_max: 16000 by
                              60000 as you propose.</div>
                            <div><br>
                            </div>
                            <div>File type was not identified because I
                              had disabled type_id option in
                              preprocessor file_inspect. I've replayed
                              the tests with paf_max = 60000 and both
                              type_id enabled and disabled. In both
                              cases the capture files are the same
                              (number and size) when sniffering from an
                              interface and reading from a PCAP file. So
                              I'm pasting below the exit stats when
                              type_id is enabled and paf_max = 60000:</div>
                            <div><br>
                            </div>
                            <div>
                              <div style="font-size:12.8000001907349px">Exit
                                stats when reading the PCAP file <span style="font-size:12.8000001907349px">and
                                  type_id enabled:</span></div>
                            </div>
                            <div><br>
                            </div>
                            <div><span style="font-size:12.8000001907349px">===============================================================================</span><br>
                            </div>
                            <div>
                              <div><span style="font-size:12.8000001907349px">Run
                                  time for packet processing was
                                  3.978146 seconds</span></div>
                              <div><span style="font-size:12.8000001907349px">Snort
                                  processed 3326 packets.</span></div>
                              <div><span style="font-size:12.8000001907349px">Snort
                                  ran for 0 days 0 hours 0 minutes 3
                                  seconds</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   Pkts/sec:         1108</span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">Memory
                                  usage summary:</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total non-mmapped bytes (arena):      
                                  10190848</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Bytes in mapped regions (hblkhd):    
                                   122081280</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total allocated space (uordblks):    
                                   8072896</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total free space (fordblks):          
                                  2117952</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Topmost releasable block (keepcost):  
                                  133008</span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">Packet
                                  I/O Totals:</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   Received:         3326</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   Analyzed:         3326 (100.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Dropped:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   Filtered:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px">Outstanding:
                                             0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   Injected:            0</span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">Breakdown
                                  by protocol (includes rebuilt
                                  packets):</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        Eth:         3333 (100.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                       VLAN:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        IP4:         3333 (100.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                       Frag:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                       ICMP:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        UDP:           40 (  1.200%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        TCP:         3293 ( 98.800%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        IP6:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    IP6 Ext:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   IP6 Opts:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                      Frag6:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                      ICMP6:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                       UDP6:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                       TCP6:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                     Teredo:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    ICMP-IP:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    IP4/IP4:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    IP4/IP6:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    IP6/IP4:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    IP6/IP6:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        GRE:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    GRE Eth:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   GRE VLAN:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    GRE IP4:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    GRE IP6:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px">GRE
                                  IP6 Ext:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   GRE PPTP:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    GRE ARP:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    GRE IPX:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   GRE Loop:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                       MPLS:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        ARP:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        IPX:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   Eth Loop:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   Eth Disc:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   IP4 Disc:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   IP6 Disc:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   TCP Disc:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   UDP Disc:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  ICMP Disc:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px">All
                                  Discard:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                      Other:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px">Bad
                                  Chk Sum:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Bad TTL:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                     S5 G 1:            3 (  0.090%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                     S5 G 2:            4 (  0.120%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                      Total:         3333</span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">Action
                                  Stats:</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                     Alerts:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                     Logged:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                     Passed:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px">Limits:</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                      Match:            0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                      Queue:            0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        Log:            0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                      Event:            0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                      Alert:            0</span></div>
                              <div><span style="font-size:12.8000001907349px">Verdicts:</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                      Allow:         3326 (100.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                      Block:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Replace:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Whitelist:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Blacklist:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                     Ignore:            0 (  0.000%)</span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">Frag3
                                  statistics:</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        Total Fragments: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                      Frags Reassembled: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                               Discards: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                          Memory Faults: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                               Timeouts: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                               Overlaps: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                              Anomalies: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                                 Alerts: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                                  Drops: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                     FragTrackers Added: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    FragTrackers Dumped: 0</span></div>
                              <div><span style="font-size:12.8000001907349px">FragTrackers
                                  Auto Freed: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Frag Nodes Inserted: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                     Frag Nodes Deleted: 0</span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">Stream
                                  statistics:</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                            Total sessions: 24</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                              TCP sessions: 14</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                              UDP sessions: 10</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                             ICMP sessions: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                               IP sessions: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                                TCP Prunes: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                                UDP Prunes: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                               ICMP Prunes: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                                 IP Prunes: 0</span></div>
                              <div><span style="font-size:12.8000001907349px">TCP
                                  StreamTrackers Created: 14</span></div>
                              <div><span style="font-size:12.8000001907349px">TCP
                                  StreamTrackers Deleted: 14</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                              TCP Timeouts: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                              TCP Overlaps: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                       TCP Segments Queued: 2394</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                     TCP Segments Released: 2394</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                       TCP Rebuilt Packets: 793</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                         TCP Segments Used: 2393</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                              TCP Discards: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                                  TCP Gaps: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                      UDP Sessions Created: 10</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                      UDP Sessions Deleted: 10</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                              UDP Timeouts: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                              UDP Discards: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                                    Events: 1</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                           Internal Events: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                           TCP Port Filter</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                                  Filtered: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                                 Inspected: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                                   Tracked: 3286</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                           UDP Port Filter</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                                  Filtered: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                                 Inspected: 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                                   Tracked: 10</span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">HTTP
                                  Inspect - encodings (Note:
                                  stream-reassembled packets included):</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    POST methods:                      
                                    0         </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    GET methods:                        
                                   10        </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    HTTP Request Headers extracted:    
                                    10        </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    HTTP Request Cookies extracted:    
                                    0         </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Post parameters extracted:          
                                   0         </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    HTTP response Headers extracted:    
                                   10        </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    HTTP Response Cookies extracted:    
                                   0         </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Unicode:                            
                                   0         </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Double unicode:                    
                                    0         </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Non-ASCII representable:            
                                   0         </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Directory traversals:              
                                    0         </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Extra slashes ("//"):              
                                    0         </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Self-referencing paths ("./"):      
                                   0         </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    HTTP Response Gzip packets
                                  extracted: 0         </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Gzip Compressed Data Processed:    
                                    n/a       </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Gzip Decompressed Data Processed:  
                                    n/a       </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                    Total packets processed:            
                                   2433      </span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">SMTP
                                  Preprocessor Statistics</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total sessions                        
                                             : 0</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Max concurrent sessions              
                                              : 0</span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">dcerpc2
                                  Preprocessor Statistics</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total sessions: 0</span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">SIP
                                  Preprocessor Statistics</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total sessions: 0</span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">File
                                  Preprocessor Statistics</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total file type callbacks:          
                                   7          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total file signature callbacks:      
                                  7          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total files would saved to disk:    
                                   7          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total files saved to disk:          
                                   7          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total file data saved to disk:      
                                   47466737  bytes</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total files duplicated:              
                                  0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total files reserving failed:        
                                  0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total file capture min:              
                                  0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total file capture max:              
                                  0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total file capture memcap:          
                                   0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total files reading failed:          
                                  0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total file agent memcap failures:    
                                  0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total files sent:                    
                                  0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total file data sent:                
                                  0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                  Total file transfer failures:        
                                  0          </span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">File
                                  type stats:</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                         Type              Download  
                                  (Bytes)      Upload     (Bytes)</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                          GZ( 33)          2        
                                   6848054      0          0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                         MP3( 64)          2        
                                   37257592     0          0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        JPEG( 70)          2        
                                   3360645      0          0          </span><br>
                              </div>
                              <div><span style="font-size:12.8000001907349px">
                                  <div>         BMP(148)          1    
                                         446          0          0      
                                       </div>
                                  <div><span style="font-size:12.8000001907349px"> 
                                                Total          7        
                                       </span><span style="font-size:12.8000001907349px">47466737</span><span style="font-size:12.8000001907349px">     0          0          </span><br>
                                  </div>
                                </span></div>
                              <div><span style="font-size:12.8000001907349px"><br>
                                </span></div>
                              <div><span style="font-size:12.8000001907349px">File
                                  signature stats:</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                         Type              Download  
                                  Upload </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                          GZ( 33)          2          0
                                           </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                         MP3( 64)          2          0
                                           </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                         PNG( 69)          1          0
                                           </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        JPEG( 70)          2          0
                                           </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                            Total          7          0
                                           </span></div>
                              <div><span style="font-size:12.8000001907349px"><br>
                                </span></div>
                              <div><span style="font-size:12.8000001907349px">File
                                  type verdicts:</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        UNKNOWN:           7          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                            LOG:           0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                           STOP:           0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                          BLOCK:           0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                         REJECT:           0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        PENDING:           0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   STOP CAPTURE:           0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                          Total:           7          </span></div>
                              <div><span style="font-size:12.8000001907349px"><br>
                                </span></div>
                              <div><span style="font-size:12.8000001907349px">File
                                  signature verdicts:</span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        UNKNOWN:           7          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                            LOG:           0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                           STOP:           0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                          BLOCK:           0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                         REJECT:           0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                        PENDING:           0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                   STOP CAPTURE:           0          </span></div>
                              <div><span style="font-size:12.8000001907349px"> 
                                          Total:           7          </span></div>
                              <div><span style="font-size:12.8000001907349px"><br>
                                </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  files processed:             10      
                                    </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  files data processed:        47473897
                                   bytes </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  files buffered:              7        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  files released:              7        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  files freed:                 0        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  files captured:              7        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  files within one packet:     1        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  buffers allocated:           1452    
                                    </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  buffers freed:               0        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  buffers released:            1452    
                                    </span></div>
                              <div><span style="font-size:12.8000001907349px">Maximum
                                  file buffers used:         759        </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  buffers free errors:         0        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  buffers release errors:      0        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  memcap failures:             0        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  memcap failures at reserve:  0        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  reserve failures:            0        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  file capture size min:       0        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  file capture size max:       0        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  capture max before reserve:  0        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Total
                                  file signature max:          0        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Maximum
                                  buffers can allocate:      3196       </span></div>
                              <div><span style="font-size:12.8000001907349px">Number
                                  of buffers in use:          0        
                                   </span></div>
                              <div><span style="font-size:12.8000001907349px">Number
                                  of buffers in free list:    1744    
                                    </span></div>
                              <div><span style="font-size:12.8000001907349px">Number
                                  of buffers in release list: 1452    
                                    </span></div>
                              <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                              <div><span style="font-size:12.8000001907349px">Snort
                                  exiting</span></div>
                            </div>
                            <div><span style="font-size:12.8000001907349px"><br>
                              </span></div>
                            <div><span style="font-size:12.8000001907349px">This
                                time the captured files have changed:</span></div>
                            <div><span style="font-size:12.8000001907349px"><br>
                              </span></div>
                            <div><span style="font-size:12.8000001907349px">#
                                ls -lS</span></div>
                            <div><span style="font-size:12.8000001907349px">
                                <div>-rw------- 1 root root 24211979 May
                                   8 21:20
                                  8452B621DC334D1FD44470A80540CBEF2F6869AF851B9E8C684EF9402016F692</div>
                                <div>-rw------- 1 root root 13045613 May
                                   8 21:20
                                  5CF142947C2957EE648457A91B69FB82F088F31205030F9A77B2AD827228C6E9</div>
                                <div>-rw------- 1 root root  6352738 May
                                   8 21:20
                                  DB57C532919D9ABABAC127F29DBDC05ED832394880E46CAD81A5DDE713CCB4BE</div>
                                <div>-rw------- 1 root root  2936119 May
                                   8 21:20
                                  B4127F43A3F455523B81179CC11AA4F28FC27F4C041D20E28AA08A32D85CB757</div>
                                <div>-rw------- 1 root root   495316 May
                                   8 21:20
                                  A294AA3D01CD8902BF842D320E7F2C043AF9EAD95D0E7198C3B71A0DBC9D253C</div>
                                <div>-rw------- 1 root root   424526 May
                                   8 21:20
                                  8863DB1EC4B02D5BCC1FB4BD03D220F7458136342CDD47CE507A5B886C6BB56C</div>
                                <div>-rw------- 1 root root      446 May
                                   8 21:20 <span style="font-size:12.8000001907349px">8D490C71A27631CF6A476F68C40965</span><span style="font-size:12.8000001907349px">5CB63BF32C17846A3C3C125A79046D</span><span style="font-size:12.8000001907349px">B2C1</span></div>
                              </span></div>
                            <div><br>
                            </div>
                            <div><span style="font-size:12.8000001907349px">But
                                they are still different from the
                                original ones:</span></div>
                            <div><span style="font-size:12.8000001907349px"><br>
                              </span></div>
                            <div><span style="font-size:12.8000001907349px">#
                                ls -lS</span></div>
                            <div>
                              <div style="font-size:12.8000001907349px">-rw-r--r--
                                1 root root 1044381696 Feb 18 20:12
                                ubuntu-14.04.2-desktop-amd64.iso</div>
                              <div style="font-size:12.8000001907349px">-rw-r--r--
                                1 root root  375187792 May  8 21:07
                                VMware-viclient.exe</div>
                              <div style="font-size:12.8000001907349px">-rw-r--r--
                                1 root root  101688487 Jul 10  2014
                                oversize_pdf_test_0.pdf</div>
                              <div style="font-size:12.8000001907349px">-rw-r--r--
                                1 root root   14955972 May  8 21:07
                                MakeUp.mov</div>
                              <div style="font-size:12.8000001907349px">-rw-r--r--
                                1 root root    6094376 May  8 21:07
                                video1.avi</div>
                              <div style="font-size:12.8000001907349px">-rw-r--r--
                                1 root root    2187725 May  8 21:07
                                Fighter.mpg</div>
                              <div style="font-size:12.8000001907349px">-rw-r--r--
                                1 root root        446 Mar 22  2013
                                tux-sw.bmp</div>
                              <div style="font-size:12.8000001907349px"><br>
                              </div>
                              <div style="font-size:12.8000001907349px">##########################################################################</div>
                              <div style="font-size:12.8000001907349px">##########################################################################</div>
                              <div style="font-size:12.8000001907349px"><br>
                              </div>
                              <div style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">Exit
                                  stats when listening from interface
                                  and type_id enabled:</span><br>
                              </div>
                              <div style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px"><br>
                                </span></div>
                              <div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">Run
                                    time for packet processing was
                                    108.388974 seconds</span></div>
                                <div><span style="font-size:12.8000001907349px">Snort
                                    processed 256250 packets.</span></div>
                                <div><span style="font-size:12.8000001907349px">Snort
                                    ran for 0 days 0 hours 1 minutes 48
                                    seconds</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     Pkts/min:       256250</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     Pkts/sec:         2372</span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">Memory
                                    usage summary:</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total non-mmapped bytes (arena):    
                                      10100736</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Bytes in mapped regions (hblkhd):  
                                       122081280</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total allocated space (uordblks):  
                                       8073952</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total free space (fordblks):        
                                      2026784</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Topmost releasable block (keepcost):
                                      108544</span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">Packet
                                    I/O Totals:</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     Received:       256250</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     Analyzed:       256250 (100.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Dropped:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     Filtered:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px">Outstanding:
                                               0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     Injected:            0</span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">Breakdown
                                    by protocol (includes rebuilt
                                    packets):</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          Eth:       256255 (100.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                         VLAN:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          IP4:       256130 ( 99.951%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                         Frag:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                         ICMP:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          UDP:           24 (  0.009%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          TCP:       132229 ( 51.601%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          IP6:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      IP6 Ext:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     IP6 Opts:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        Frag6:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        ICMP6:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                         UDP6:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                         TCP6:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                       Teredo:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      ICMP-IP:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      IP4/IP4:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      IP4/IP6:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      IP6/IP4:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      IP6/IP6:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          GRE:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      GRE Eth:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     GRE VLAN:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      GRE IP4:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      GRE IP6:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px">GRE
                                    IP6 Ext:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     GRE PPTP:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      GRE ARP:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      GRE IPX:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     GRE Loop:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                         MPLS:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          ARP:          125 (  0.049%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          IPX:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     Eth Loop:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     Eth Disc:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     IP4 Disc:       123866 ( 48.337%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     IP6 Disc:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     TCP Disc:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     UDP Disc:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    ICMP Disc:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px">All
                                    Discard:       123866 ( 48.337%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        Other:           11 (  0.004%)</span></div>
                                <div><span style="font-size:12.8000001907349px">Bad
                                    Chk Sum:          362 (  0.141%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Bad TTL:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                       S5 G 1:            2 (  0.001%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                       S5 G 2:            3 (  0.001%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        Total:       256255</span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">Action
                                    Stats:</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                       Alerts:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                       Logged:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                       Passed:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px">Limits:</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        Match:            0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        Queue:            0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          Log:            0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        Event:            0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        Alert:            0</span></div>
                                <div><span style="font-size:12.8000001907349px">Verdicts:</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        Allow:       228770 ( 89.276%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        Block:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Replace:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Whitelist:        27480 ( 10.724%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Blacklist:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                       Ignore:            0 (  0.000%)</span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">Frag3
                                    statistics:</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          Total Fragments: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        Frags Reassembled: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                 Discards: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                            Memory Faults: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                 Timeouts: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                 Overlaps: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                Anomalies: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                   Alerts: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                    Drops: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                       FragTrackers Added: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      FragTrackers Dumped: 0</span></div>
                                <div><span style="font-size:12.8000001907349px">FragTrackers
                                    Auto Freed: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Frag Nodes Inserted: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                       Frag Nodes Deleted: 0</span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">Stream
                                    statistics:</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                              Total sessions: 20</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                TCP sessions: 14</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                UDP sessions: 6</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                               ICMP sessions: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                 IP sessions: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                  TCP Prunes: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                  UDP Prunes: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                 ICMP Prunes: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                   IP Prunes: 0</span></div>
                                <div><span style="font-size:12.8000001907349px">TCP
                                    StreamTrackers Created: 14</span></div>
                                <div><span style="font-size:12.8000001907349px">TCP
                                    StreamTrackers Deleted: 14</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                TCP Timeouts: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                TCP Overlaps: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                         TCP Segments Queued: 6930</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                       TCP Segments Released: 6930</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                         TCP Rebuilt Packets: 6331</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                           TCP Segments Used: 6903</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                TCP Discards: 7</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                    TCP Gaps: 6570</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        UDP Sessions Created: 6</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        UDP Sessions Deleted: 6</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                UDP Timeouts: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                UDP Discards: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                      Events: 16</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                             Internal Events: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                             TCP Port Filter</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                    Filtered: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                   Inspected: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                     Tracked: 131874</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                             UDP Port Filter</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                    Filtered: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                   Inspected: 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                     Tracked: 6</span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">HTTP
                                    Inspect - encodings (Note:
                                    stream-reassembled packets
                                    included):</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      POST methods:                    
                                        0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      GET methods:                      
                                       0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      HTTP Request Headers extracted:  
                                        0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      HTTP Request Cookies extracted:  
                                        0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Post parameters extracted:        
                                       0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      HTTP response Headers extracted:  
                                       2         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      HTTP Response Cookies extracted:  
                                       0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Unicode:                          
                                       0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Double unicode:                  
                                        0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Non-ASCII representable:          
                                       0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Directory traversals:            
                                        0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Extra slashes ("//"):            
                                        0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Self-referencing paths ("./"):    
                                       0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      HTTP Response Gzip packets
                                    extracted: 0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Gzip Compressed Data Processed:  
                                        n/a       </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Gzip Decompressed Data Processed:
                                        n/a       </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Total packets processed:          
                                       13165     </span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">SMTP
                                    Preprocessor Statistics</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total sessions                      
                                                 : 0</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Max concurrent sessions            
                                                  : 0</span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">dcerpc2
                                    Preprocessor Statistics</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total sessions: 0</span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">SSL
                                    Preprocessor:</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     SSL packets decoded: 68        </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                            Client Hello: 0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                            Server Hello: 2         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                             Certificate: 2         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                             Server Done: 3         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     Client Key Exchange: 0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     Server Key Exchange: 0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                           Change Cipher: 2         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                Finished: 0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Client Application: 0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Server Application: 1         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                                   Alert: 0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Unrecognized records: 64        </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Completed handshakes: 0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          Bad handshakes: 0         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                        Sessions ignored: 1         </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                      Detection disabled: 1         </span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">SIP
                                    Preprocessor Statistics</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total sessions: 0</span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">File
                                    Preprocessor Statistics</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total file type callbacks:          
                                     2          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total file signature callbacks:    
                                      1          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total files would saved to disk:    
                                     1          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total files saved to disk:          
                                     1          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total file data saved to disk:      
                                     446       bytes</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total files duplicated:            
                                      0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total files reserving failed:      
                                      0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total file capture min:            
                                      0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total file capture max:            
                                      0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total file capture memcap:          
                                     0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total files reading failed:        
                                      0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total file agent memcap failures:  
                                      0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total files sent:                  
                                      0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total file data sent:              
                                      0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                    Total file transfer failures:      
                                      0          </span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">File
                                    type stats:</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                           Type              Download  
                                    (Bytes)      Upload     (Bytes)</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                           BMP(148)          1        
                                     446          0          0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                           PDF(288)          1        
                                     3057259      0          0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                              Total          2        
                                     3057705      0          0          </span></div>
                                <div><span style="font-size:12.8000001907349px"><br>
                                  </span></div>
                                <div><span style="font-size:12.8000001907349px">File
                                    signature stats:</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                           Type              Download  
                                    Upload </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                           BMP(148)          1        
                                     0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                              Total          1        
                                     0          </span></div>
                                <div><span style="font-size:12.8000001907349px"><br>
                                  </span></div>
                                <div><span style="font-size:12.8000001907349px">File
                                    type verdicts:</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          UNKNOWN:           2          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                              LOG:           0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                             STOP:           0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                            BLOCK:           0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                           REJECT:           0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          PENDING:           0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     STOP CAPTURE:           0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                            Total:           2          </span></div>
                                <div><span style="font-size:12.8000001907349px"><br>
                                  </span></div>
                                <div><span style="font-size:12.8000001907349px">File
                                    signature verdicts:</span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          UNKNOWN:           1          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                              LOG:           0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                             STOP:           0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                            BLOCK:           0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                           REJECT:           0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                          PENDING:           0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                     STOP CAPTURE:           0          </span></div>
                                <div><span style="font-size:12.8000001907349px"> 
                                            Total:           1          </span></div>
                                <div><span style="font-size:12.8000001907349px"><br>
                                  </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    files processed:             2      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    files data processed:        3057705
                                      bytes </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    files buffered:              2      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    files released:              1      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    files freed:                 1      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    files captured:              1      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    files within one packet:     1      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    buffers allocated:           95    
                                        </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    buffers freed:               94    
                                        </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    buffers released:            1      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Maximum
                                    file buffers used:         94      
                                      </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    buffers free errors:         0      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    buffers release errors:      0      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    memcap failures:             0      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    memcap failures at reserve:  0      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    reserve failures:            0      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    file capture size min:       0      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    file capture size max:       0      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    capture max before reserve:  0      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Total
                                    file signature max:          0      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Maximum
                                    buffers can allocate:      3196    
                                      </span></div>
                                <div><span style="font-size:12.8000001907349px">Number
                                    of buffers in use:          0      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">Number
                                    of buffers in free list:    3195    
                                      </span></div>
                                <div><span style="font-size:12.8000001907349px">Number
                                    of buffers in release list: 1      
                                       </span></div>
                                <div><span style="font-size:12.8000001907349px">===============================================================================</span></div>
                                <div><span style="font-size:12.8000001907349px">Snort
                                    exiting</span></div>
                                <div><span style="font-size:12.8000001907349px"><br>
                                  </span></div>
                                <div><span style="font-size:12.8000001907349px">This
                                    time the captured files haven't
                                    changed:</span></div>
                                <div><span style="font-size:12.8000001907349px"><br>
                                  </span></div>
                                <div><span style="font-size:12.8000001907349px">#
                                    ls -lS</span></div>
                                <div><span style="font-size:12.8000001907349px">-rw-------
                                    1 root root 446 May  8 21:33
                                    8D490C71A27631CF6A476F68C409655CB63BF32C17846A3C3C125A79046DB2C1</span><br>
                                </div>
                                <div><span style="font-size:12.8000001907349px"><br>
                                  </span></div>
                                <div><span style="font-size:12.8000001907349px">Best
                                    Regards,</span></div>
                                <div><br>
                                </div>
                              </div>
                            </div>
                          </div>
                          <div class="gmail_extra"><br clear="all">
                            <div>
                              <div>
                                <div dir="ltr">
                                  <div>
                                    <div dir="ltr">
                                      <div><span style="font-size:12.8000001907349px">Pablo
                                          Cantos</span><br>
                                      </div>
                                      <div><a href="http://redborder.org" target="_blank">redborder.org</a>
                                        / <a href="mailto:pcantos@...16845...2..." target="_blank">
                                          pcantos@...16842...</a></div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                            <br>
                            <div class="gmail_quote">2015-05-08 21:49
                              GMT+02:00 Hui Cao (huica) <span dir="ltr">
                                <<a href="mailto:huica@...589..." target="_blank">huica@...589...</a>></span>:<br>
                              <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                <div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
                                  <div>Hi Pablo,</div>
                                  <div><br>
                                  </div>
                                  <div>When listening from interfaces,
                                    you have lots of discards. Because
                                    file processing relies on data that
                                    are reassembled correctly, it won’t
                                    be called for those sessions that
                                    miss file data.</div>
                                  <div><br>
                                  </div>
                                  <div>In the case of PCAP, no sure why
                                    file type is not identified. It is
                                    interesting to see 47M file data for
                                    only 3326 packets. That is 24K per
                                    packet. I guess in this case, it
                                    will always hit PAF_MAX for each
                                    packet which might set each packet
                                    as single PDU(file). Can you try
                                    this setting?</div>
                                  <div><span style="line-height:20.7900009155273px"><br>
                                    </span></div>
                                  <div><span style="line-height:20.7900009155273px">config
                                      paf_max: 60000</span></div>
                                  <div><br>
                                  </div>
                                  <div>Best,</div>
                                  <div>Hui.</div>
                                  <div><br>
                                  </div>
                                  <span>
                                    <div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;border-width:1pt medium medium;border-style:solid none none;padding:3pt 0in 0in;border-top-color:rgb(181,196,223)">
                                      <span><span style="font-weight:bold">From:
                                        </span>Pablo Cantos Polaino <<a href="mailto:pcantos@...16842..." target="_blank">pcantos@...16842...</a>><br>
                                      </span><span style="font-weight:bold">Date: </span>Friday,
                                      May 8, 2015 at 3:29 PM<br>
                                      <span style="font-weight:bold">To:
                                      </span>Hui Cao <<a href="mailto:huica@...589..." target="_blank">huica@...589...</a>><br>
                                      <span style="font-weight:bold">Cc:
                                      </span>"<a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@...2652...e.net</a>"
                                      <<a href="mailto:snort-users@...3204...ts.sourceforge.net" target="_blank">snort-users@lists.sourceforge.net</a>><br>
                                      <span style="font-weight:bold">Subject:
                                      </span>Re: [Snort-users] File
                                      preprocessor fails to capture
                                      files<br>
                                    </div>
                                    <span>
                                      <div><br>
                                      </div>
                                      <div style="color:rgb(0,0,0);font-family:Calibri;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"> 
                                         IP4 Disc:       122145 (
                                        49.331%)</div>
                                      <div style="color:rgb(0,0,0);font-family:Calibri;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"> 
                                         IP6 Disc:            0 (
                                         0.000%)</div>
                                      <div style="color:rgb(0,0,0);font-family:Calibri;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"> 
                                         TCP Disc:            0 (
                                         0.000%)</div>
                                      <div style="color:rgb(0,0,0);font-family:Calibri;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"> 
                                         UDP Disc:            0 (
                                         0.000%)</div>
                                      <div style="color:rgb(0,0,0);font-family:Calibri;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"> 
                                        ICMP Disc:            0 (
                                         0.000%)</div>
                                      <div style="color:rgb(0,0,0);font-family:Calibri;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">All
                                        Discard:       122145 ( 49.331%)</div>
                                    </span></span>
                                  <div><br>
                                  </div>
                                  <span>
                                    <div>
                                      <div style="font-family:Calibri"> 
                                               TCP Segments Used: 6919</div>
                                      <div style="font-family:Calibri"> 
                                                    TCP Discards: 48</div>
                                      <div style="font-family:Calibri"> 
                                                        TCP Gaps: 6459</div>
                                    </div>
                                  </span></div>
                              </blockquote>
                            </div>
                            <br>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </span>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
<a href="http://ad.doubleclick.net/ddm/clk/290420510;117567292;y" target="_blank">http://ad.doubleclick.net/ddm/clk/290420510;117567292;y</a></pre>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
Snort-users mailing list
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>

Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!</pre>
    </blockquote>
    <br>
  </div>

</blockquote></div><br></div></div>