[Bro] how to measure size of data that transfer in connection?
talebihossain at gmail.com
Sat Nov 8 12:37:28 PST 2008
my problem is not filtering but my problem is obtain accurate size of
i have checked these policies and apply very much and understand them
but apply conn policy on 2 tcpdump file(that one include all of packet
headers and other include only SYN,SYN_ACK,FIN packet headers) have
On Sat, Nov 8, 2008 at 11:25 PM, rmkml <rmkml at free.fr> wrote:
> Hi hossein,
> do you have checked policy/conn.bro|load conn|conn.log ?
> 1225897841.708954 0.110102 10.100.11.8 192.168.25.192 https 44642 443 tcp
> 926 3545 SF X
> (926 and 3545)
> for only tcp flags SYN,SYN-ACK,FIN: add tcpdump filter on bro cmd line ?
> On Sat, 8 Nov 2008, hossein talebi wrote:
> Date: Sat, 8 Nov 2008 22:21:29 +0330
>> From: hossein talebi <talebihossain at gmail.com>
>> To: Bro-ids <bro at bro-ids.org>
>> Subject: [Bro] how to measure size of data that transfer in connection?
>> i want measure size of data thet transfer in per side(how many recieve and
>> how many send)
>> I have downloaded one file with size:almost 4MB
>> and capture its with tcpdump(only with filtering on tcp header and on my
>> IP )
>> and sum of received data in connections almost is:4MB (this sum have been
>> measured in Bro via field of endpoint size in connection)
>> then i filter same output of tcpdump only for tcpflags(SYN,SYN-ACK,FIN)
>> and save with pcap format
>> and sum of received data in connections almost is:1MB
>> i don't know reason of this repugnance
>> i need measure size of data that transfer in per side of connection realy
>> while i have filter network traffic only
>> for SYN,SYN-ACK,FIN packet header
>> how to solve this problem?
>> please help me
>> Talebi Mazraeh Shahi Hossein
Talebi Mazraeh Shahi Hossein
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro