[Bro] Traffic characteristics extraction with Bro

Vern Paxson vern at icir.org
Fri Feb 2 17:14:19 PST 2007

> The result is interesting:  for ALL connections, the total size from the 
> ORIGINATOR side is an exact match, but for many connections, my values 
> for the RESPONDER side are higher and the discrepancies depend on the 
> total size.
> Is there a bug, Vern ?

It's likely that the responder side is more likely to retransmit packets.

The usual way to diagnose something like this is pick the largest "offender",
extract the corresponding packet trace, and inspect it by hand.

> 3> I found that handling packet level events (such as tcp_packet) made 
> Bro run out of memory when analyzing a CRedII trace with lots of scans - 
> even if the handler does nothing. Bro works fine, though, if I don't 
> capture these  events.

That certainly suggests a leak.  As we don't use tcp_packet in production
use, we haven't tripped across this before.

> 4> It would be nice if there's an overview explanation about the Bro CC 
> code, for someone who needs to extend or modify the code. Doesn't have 
> to be long, one or 2 pages are fine.

Well, I don't know about "doesn't have to be long" - it is, after all,
more than 100,000 lines of code.  In any case, we're aware that this would
be nice to have, but it's in fact a great deal of work, beyond our present
resources (since we're funded primarily for research rather than development).

> Also it would be great if  we have 
> a page for people to share useful policy/scripts files.

We have the beginnings of this in


though at present we do not provide public edit-access to the Wiki, but
rather populate this based on contributions folks send us.  Alternatively,
one can use the mailing list for this, until a contribution is developed
and stable enough to merit widespread use.

> 5> I really like the Bro language and is learning a lot from Bro.  
> Thanks for creating such a wonderful tool.

Very pleased to hear it!


More information about the Bro mailing list