[Bro] how to measure size of data that transfer in connection?

hossein talebi talebihossain at gmail.com
Sat Nov 8 12:37:28 PST 2008


Hi
my problem is not filtering but my problem is obtain accurate size of
transfer byte
i have checked these policies and apply very much and understand them
completly
but apply conn policy on 2 tcpdump file(that one include all of packet
headers and other include only SYN,SYN_ACK,FIN packet headers) have
different results
why????
thanks
On Sat, Nov 8, 2008 at 11:25 PM, rmkml <rmkml at free.fr> wrote:

> Hi hossein,
> do you have checked policy/conn.bro|load conn|conn.log ?
> example:
> 1225897841.708954 0.110102 10.100.11.8 192.168.25.192 https 44642 443 tcp
> 926 3545 SF X
> (926 and 3545)
> for only tcp flags SYN,SYN-ACK,FIN: add tcpdump filter on bro cmd line ?
> Regards
> Rmkml
> Crusoe-Researches.com
>
> On Sat, 8 Nov 2008, hossein talebi wrote:
>
> Date: Sat, 8 Nov 2008 22:21:29 +0330
>> From: hossein talebi <talebihossain at gmail.com>
>> To: Bro-ids <bro at bro-ids.org>
>> Subject: [Bro] how to measure size of data that transfer in connection?
>>
>>
>> Hi
>>
>> i want measure size of data thet transfer in per side(how many recieve and
>> how many send)
>>
>> I have downloaded one file with size:almost 4MB
>> and capture its with tcpdump(only with filtering on tcp header and on my
>> IP )
>> and sum of received data in connections almost is:4MB (this sum have been
>> measured in Bro via field of endpoint size in connection)
>> then i filter same output of tcpdump only for tcpflags(SYN,SYN-ACK,FIN)
>> and save with pcap format
>> and sum of received data in connections almost is:1MB
>>
>> i don't know reason of this repugnance
>> i need measure size of data that transfer in per side of connection realy
>> while i have filter network traffic only
>> for SYN,SYN-ACK,FIN packet header
>>
>> how to solve this problem?
>>
>> please help me
>> thanks
>> --
>> Talebi Mazraeh Shahi Hossein
>>
>>


-- 
Talebi Mazraeh Shahi Hossein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081109/d8c1abaa/attachment.html 


More information about the Bro mailing list