[Bro] Fwd: how to measure size of data that transfer in connections (SYN FIN RST)?

hossein talebi talebihossain at gmail.com
Mon Nov 10 04:19:31 PST 2008


Hi
i want measure size of data that transfer in per side(how many recieve and
how many send)

I have downloaded one file with size:almost 4MB
and capture its with tcpdump(only with filtering on tcp header and on my IP
)
and sum of received data in connections almost is:4MB (this sum have been
measured in Bro via field of endpoint size in connection)
then i filter same output of tcpdump only for tcpflags(*SYN,RST,FIN*) and
save with pcap format
and sum of received data in connections almost is:1MB

(i run tcpdump while file(with 4MB size) is downloading with follow filter:
"tcpdump  -w pcapfile1 'tcp and host <MY IP ADDRESS>' "
then i  apply  filtering  on pcapfile1:
"tcpdump -r pcapfile1 -w pcapfile2 'tcp[tcpflags]&(tcp-syn|tcp-fin|tcp-rst)!=0
' "
then i measured size of data by Bro version :1.2.1
but results are different(on pcapfile1 is 4MB and on pcapfile2 is 1MB)
OS: Linux(Fedora Core 8)  )
you can perform this work and measure sum of data that is received for two
files

i don't know reason of this repugnance
i need measure size of data that transfer in per side of connection really
while i have filter network traffic only
for *SYN,RST,FIN packet header*

how to solve this problem?

please help me
thanks

-- 
Talebi Mazraeh Shahi Hossein



-- 
Talebi Mazraeh Shahi Hossein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081110/1fd9f77b/attachment.html 


More information about the Bro mailing list