[Bro] How to count concurrent connections

Robin Sommer robin at icir.org
Thu Oct 11 10:45:53 PDT 2007

On Thu, Oct 11, 2007 at 15:03 +0200, Bernhard Ager wrote:

> So my question now is: which events are thrown when exactly?

The event you're looking for is new_connection(). That one is raised
for all connections for which Bro instantiates internal state, i.e.,
it's the counterpart of connection_state_remove().

The other connection events are only raised for a subset of all
connections. connection_established() for those with a full 3w
handshake, connection_finished() for regular tear-downs, 
connection_reset() for connection aborted with a reset, etc. 

> Is there
> a way to just query for the size of the bro-internal connection
> tracker?

Actually there is: the built-in resource_usage() returns a record
which, among other stuff, contains the numbers of TCP, UDP, ICMP
connections in memory. Caveat: I'm just realizing that this
reporting doesn't take the connection-compressor into account, which
means that by default the values will be too small for TCP
connections. Turning off the compressor with
use_connection_compressor=F will fix that for the cost of some
performance decrease (both cpu and memory).

> BTW: I am using a header trace. In my opinion this shouldn't make a
> difference, but maybe ...

No, it shouldn't.


Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

