[Bro] wrong size computation

Vincenzo Falletta falletta at ftw.at
Wed Dec 7 09:38:31 PST 2005

Here it is a sample... it is just an handshake but if you run

$bro -r to-brolist_anonym.pcap brolite

you will see in the conn.log file the BIG computation mistake...

	Vincenzo :-)

Ruoming Pang (庞若鸣) wrote:
>> As regards the way bro deals with the number of bytes transferred for
>> each connection, it seems that bro DOES NOT keep a variable in which
>> incrementally stores the sum of each packet size for all the packets
>> involved in that very connection, but instead does a certain computation
>>  (i wonder how...) involving only the first and the last packet in the
>> connection... Am I correct?
> Yes, for TCP connections Bro computes connection sizes based on TCP
> sequence numbers.
>> I'm asking this question because I've found something very strange.
>> In bro's conn.log file there are lines like this:
>> Dec  1 00:22:53 1.058870 A B http 49331 80 tcp 886477697 ? RSTOS0 L
>> (yes it's correct, 800MB in 1 second) but if I look at the trace, this
>> is what I see:
>>      A              B
>>    49331  -->    80 (SYN)        Seq=0,Ack=0
>>    49331  <--    80 (ACK)        Seq=0,Ack=0
>>    49331  -->    80 (RST)        Seq=0,Ack=188164531
>> (Only 3 packets transferred...)
>> Of course there's some bug in these hosts, but bro should not be
>> misleaded in computing the amount of bytes transferred inside a
>> connection. Could someone explain me what's happening here?
> This is weird. Could you please send me the trace file?
> I think there are two separate issues here:
> 1. How Bro comes up with the 800MB number and whether the ack sequence
> in the RST packet should be taken into computation. We need to look at
> the trace to find out.
> 2. In general, Bro connection sizes can be incorrect in weird cases, and
> if you want accurate numbers in your measurements, my suggestions (and
> what we did in our measurements) are: (a) if you have all packets in
> your traces, there's a Bro script (Vern?) to sample packets very
> efficiently to estimate connection size, even in the case the sequence
> numbers wrap around a number of times, which then can be used to
> validate the connection size; (b) if all you have are SYN, FIN, and RST
> packets, you can make some assumption about the bandwidth of the link to
> check if the connection size makes sense.
> Ruoming
-------------- next part --------------
A non-text attachment was scrubbed...
Name: to-brolist_anonym.pcap
Type: application/octet-stream
Size: 212 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20051207/3d8965d5/attachment.obj 

More information about the Bro mailing list