[Bro] Fwd: Flow Statistics in BRO

Danny Nechay d.nechay at gmail.com
Wed Oct 10 14:39:46 PDT 2007


Hi,

when I run that command I get the following output (a sample):

1185209476.627097 weird: spontaneous_RST
1185209476.630111 weird: spontaneous_RST
1185209476.947233 weird: above_hole_data_without_any_acks
1185209478.283928 weird: spontaneous_FIN
1185209478.798191 weird: above_hole_data_without_any_acks
1185209479.339797 weird: spontaneous_RST
1185209479.943993 weird: spontaneous_RST
1185209480.904227 weird: spontaneous_FIN
1185209481.648424 weird: above_hole_data_without_any_acks

When I was talking about flow statistics, I was looking more for statistics
such as total number of packets, average packet size, total bytes, total
header (transport plus network layer) bytes, number of caller to callee
packets, total caller
to callee bytes, total caller to callee payload bytes, total caller to
callee header bytes, number of callee to
caller packets, total callee to caller payload bytes, and total callee to
caller header bytes.

Also as an aside, do you know why there are these weird addresses in the
scan.bro file because whenever I run bro -r tracefile tcp it always starts
with the following lines:

/usr/local/bro/policy/scan.bro, line 92: warning: no such host:
j5004.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 92: warning: no such host:
j5005.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
j5006.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
j100.inktomi.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
j101.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:
j3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:
si3000.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:
si3001.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
si3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
si3003.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
si4000.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:
si4001.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:
si4002.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:
wm3018.inktomi.com
line 1: warning: event handlers never invoked:
line 1: warning:         account_tried

Thanks.

Daniel.


On 10/10/07, Robin Sommer <robin at icir.org > wrote:
>
>
> On Wed, Oct 10, 2007 at 15:40 -0400, Danny Nechay wrote:
>
> > I have a trace file (from using TCPdump) and I would like to know how to
> get
> > the flow statistics of this file using BRO (i.e. what would be the
> command
> > line argument).
>
> "bro -r trace tcp" should do it if you're only concerned about TCP.
> For UDP and ICMP add "udp" and "icmp" to the command line,
> respectively.
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071010/08aa7b6f/attachment.html 


More information about the Bro mailing list