[Bro] Bytes in conn.log is way to large
gregor at net.t-labs.tu-berlin.de
Fri Nov 2 12:44:56 PDT 2007
> I also tried it on a second trace. This one had both directions. 600GB
> IP data and conn.log reported 1.9TB. The total # of connections in the
> trace is 29M. Of these 62.000 are larger than 1GB. From these large
> flows only XXX were terrminated without RSTs.
sorry, I sent the Mail too early:
of the 29M connections, 628 are > 1GB and of those 487 are terminated
with a RST.
A lot of these large connections furthermore had very short duratinos
(<<1sec) and had only "traffic" in one direction.
What about adding some sanity checks, so that the byte values are
meaningful even if not using large-conns.bro? Otherwise one cannot rely
at the byte values in conn.log at all.
Maybe such checks could be:
* a "maximum bandwidth" a connection must not exceed
* require that bytes/packets are seen in both directions
Gregor Maier gregor at net.t-labs.tu-berlin.de
TU Berlin / Deutsche Telekom Labs gregor.maier at tu-berlin.de
Sekr. TEL 4, FG INET www.net.t-labs.tu-berlin.de
10587 Berlin, Germany
More information about the Bro