<div dir="ltr"><div dir="ltr"><br></div><div dir="ltr">if you're working with pcaps, you could possibly achieve this with a script.<div>there's a <a href="https://docs.zeek.org/en/current/script-reference/proto-analyzers.html#id-tcp_packet">tcp_packet</a> event that provides the connection as well as the length of the packet.</div><div>for times, the <a href="https://docs.zeek.org/en/current/scripts/base/bif/zeek.bif.zeek.html#id-network_time">network_time</a> built in function should help you get started.</div><div><br></div><div>i would be careful trying this with live traffic, you might wind up having an unacceptable performance impact on your workers as that's a pretty frequent event.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jun 25, 2020 at 3:41 AM Federico Foschini <<a href="mailto:undicizeri@gmail.com">undicizeri@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello,<div>I'm reading a bunch of papers on interesting features for machine learning applied on network traffic. For example CSE-CIC (<a href="https://www.unb.ca/cic/datasets/ids-2018.html" target="_blank">https://www.unb.ca/cic/datasets/ids-2018.html</a>)</div><div><br><div>My question is: is it possible to add this type of statistic on conn.log?</div><div>- average packet size</div><div>- minimum packet size</div><div>- maximum packet size</div><div>- total time between two packets</div><div>- mean time between two packets etc.</div><div>- etc.</div><div><br></div><div>Reading in the documentation I saw this events <a href="https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek.html#id-tcp_packet" target="_blank">https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek.html#id-tcp_packet</a> but, as state by the documentation itself, it will lead to very poor performance.</div><div><br></div><div>The other code I think it could be relevant is the TCP analyzer: <a href="https://github.com/zeek/zeek/blob/1affbad4b7b8c8cf230ded8224c9c364607b67e9/src/analyzer/protocol/tcp/TCP.cc" target="_blank">https://github.com/zeek/zeek/blob/1affbad4b7b8c8cf230ded8224c9c364607b67e9/src/analyzer/protocol/tcp/TCP.cc</a> </div><div><div><br></div><div>I've never contributed to Zeek before and I don't know the codebase at all, so do you think Zeek would be capable of generating this type of stats? Is TCP.cc the right place to implement those features? Are there issues I am overlooking?</div>-- <br><div dir="ltr">Federico Foschini.</div></div></div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div></div>