[Bro] Daily report and Byte Transfer Pairs

frenzy at frenzy.org frenzy at frenzy.org
Fri Feb 17 10:38:45 PST 2006


I have been noticing that sometimes the daily report Byte Transfer Pair 
information in the Local bytes and Remote Bytes values can be off by a 
very large factor from the actual traffic size.

Is this caused by the traffic estimation algorithm, and what factors could 
contribute to that larger size? The transfers in question were some HTTP 
traffic that didn't get to be above 100 K in size, and Bro reported it as 
being 1815 M.

This is using the current Bro 1.x branch code.

Thanks for any input you folks can provide.

Randy





More information about the Bro mailing list