[Bro] Bytes in conn.log is way to large

Gregor Maier gregor at net.t-labs.tu-berlin.de
Fri Nov 2 12:44:56 PDT 2007

> I also tried it on a second trace. This one had both directions. 600GB
> IP data and conn.log reported 1.9TB. The total # of connections in the
> trace is 29M. Of these 62.000 are larger than 1GB. From these large
> flows only XXX were terrminated without RSTs.

sorry, I sent the Mail too early:

of the 29M connections, 628 are > 1GB and of those  487 are terminated
with a RST.
A lot of these large connections furthermore had very short duratinos
(<<1sec) and had only "traffic" in one direction.

What about adding some sanity checks, so that the byte values are
meaningful even if not using large-conns.bro? Otherwise one cannot rely
at the byte values in conn.log at all.
Maybe such checks could be:
* a "maximum bandwidth" a connection must not exceed
* require that bytes/packets are seen in both directions


Gregor Maier                             gregor at net.t-labs.tu-berlin.de
TU Berlin / Deutsche Telekom Labs             gregor.maier at tu-berlin.de
Sekr. TEL 4, FG INET                        www.net.t-labs.tu-berlin.de
Ernst-Reuter-Platz 7
10587 Berlin, Germany

More information about the Bro mailing list