[Bro] How to count concurrent connections
robin at icir.org
Thu Oct 11 10:45:53 PDT 2007
On Thu, Oct 11, 2007 at 15:03 +0200, Bernhard Ager wrote:
> So my question now is: which events are thrown when exactly?
The event you're looking for is new_connection(). That one is raised
for all connections for which Bro instantiates internal state, i.e.,
it's the counterpart of connection_state_remove().
The other connection events are only raised for a subset of all
connections. connection_established() for those with a full 3w
handshake, connection_finished() for regular tear-downs,
connection_reset() for connection aborted with a reset, etc.
> Is there
> a way to just query for the size of the bro-internal connection
Actually there is: the built-in resource_usage() returns a record
which, among other stuff, contains the numbers of TCP, UDP, ICMP
connections in memory. Caveat: I'm just realizing that this
reporting doesn't take the connection-compressor into account, which
means that by default the values will be too small for TCP
connections. Turning off the compressor with
use_connection_compressor=F will fix that for the cost of some
performance decrease (both cpu and memory).
> BTW: I am using a header trace. In my opinion this shouldn't make a
> difference, but maybe ...
No, it shouldn't.
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro