[Bro] Using BRO for measuring TCP flow bandwidth
vern at icir.org
Sun Aug 22 15:38:07 PDT 2010
> My question is why does BRO appear to behave differently when reading from a
> tcpdump or an interface. Kindly advice.
It's not clear to me just why you're seeing the difference. The symptoms
suggest that the live run is using a different packet filter (in particular,
the default SYN/FIN/RST-only filter), and thus after the connection is
established, there's no input to update things further. However, if so
then you should have that same effect running on the trace.
You could test for this by running with a filter "-f tcp", which will
capture all TCP packets.
Note that your script misuses the connection_established event. It's not
meant to be generated at the script-level, and the semantics of executing
it again 5 seconds in the future are undefined. (Also, timing for executing
such scheduled events is actually driven by the arrival of traffic, so
that would be another potential difference between the live execution vs.
the trace one. But again I don't offhand see why it would lead to different
More information about the Bro