[Bro] TCP Connection duration = ?
christian at whoop.org
Thu Sep 16 11:01:44 PDT 2004
On Wed, 2004-09-15 at 23:11, Mike Muratet wrote:
> Using the tcp analyzer (tcp.bro) on a tcpdump file collected over 30 days, I
> see many instances where the connection duration is '?'. I've looked at the
> manual, and by the definition of 'duration' I am led to believe that a ?
> indicates a record with an end event that never received a begin event. I'm
> still trying to find the calculation in the source, but does this make
I think the spot to look at is in policy/conn.bro, around line 204. If
the log entry is written out at a time where none of the endpoints have
closed the connection, the duration cannot yet be known, and hence is
written out as "?".
Hope this helps,
More information about the Bro