[Bro] Traffic characteristics extraction with Bro
Duc T Ha
ducha at cse.buffalo.edu
Fri Jan 26 08:04:59 PST 2007
Thank you all for the tips.
For those who are interested, here're some observations:
1> I used "tcp_packet" event to capture packets. To test this event, I
summed up all packet sizes from the input argument "len" and "is_orig"
for each flow. Finally, I compared the sum values (for both directions)
with the values returned by "conn_size", as in the analy.bro
The result is interesting: for ALL connections, the total size from the
ORIGINATOR side is an exact match, but for many connections, my values
for the RESPONDER side are higher and the discrepancies depend on the
Is there a bug, Vern ?
2> Applying similar method for event "new_packet" (using the field "dl"
in tcp_hdr) gived me the discrepancies of ten folds, for each direction.
So I guess tcp_packet is more suitable :), although I don't know why.
3> I found that handling packet level events (such as tcp_packet) made
Bro run out of memory when analyzing a CRedII trace with lots of scans -
even if the handler does nothing. Bro works fine, though, if I don't
capture these events.
4> It would be nice if there's an overview explanation about the Bro CC
code, for someone who needs to extend or modify the code. Doesn't have
to be long, one or 2 pages are fine. Also it would be great if we have
a page for people to share useful policy/scripts files. I'd be happy to
5> I really like the Bro language and is learning a lot from Bro.
Thanks for creating such a wonderful tool.
Vern Paxson wrote:
>> I am trying to extract some flow characteristics from static data with
>> Bro. I've checked the analyzer Conn.bro, but didn't find any suitable
> Check out analy.bro, which does this sort of analysis on whatever connections
> Bro is processing (so you need to load additional scripts to capture the
> packets of interest). You may need to extend it by editing
> TCPStats_Endpoint::DataSent in TCP.cc.
>> At present, the characteristics I need are: mean packet size and mean
>> packet inter-arrival time, all per flow.
> Note, if you just want means, then you can track this quite cheaply.
> (And mean inter-arrival time is just duration divided by number of packets.)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 263 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070126/382d693a/attachment.vcf
More information about the Bro