[Bro] Using BRO for measuring TCP flow bandwidth

Harkeerat Bedi hsbedi at memphis.edu
Mon Aug 30 02:20:55 PDT 2010

Thank you Sridhar for your feedback and time. I am still working on this
problem. To recall, in my case BRO seemed to be behaving differently when
reading from a live interface or a TCPDUMP.

My previous experiment setup was as follows.

Node1 (Client) <------>   Node2 (running BRO) < ------ > Node3 (Server)

Node1 (the client) was sending TCP traffic to Node3 (the server) via Node2
(which is running BRO). And the output of BRO on this live traffic was not
as expected. However, if I ran BRO on the TCPDUMP of the same traffic the
output was as expected. (As shown in my previous email).

Now, as I was experimenting, I noticed that if I rearrange the experiment as

Node1 (Client) <------> Node2 (Server + running BRO)

I obtain the results as I wanted even on live traffic. I am able to obtain
the periodically updated duration and sizes which then I use to calculate
the bitrate.

I was wondering, is the difference in behavior observed by BRO related to
its location in the network?
(In Setup1 it was an intermediate node, where as in Setup2 it is the
terminal node.)
Kindly provide your feedback if this makes any sense of gives any clues.

Regarding your suggestion, I understand what you are implying, however I am
not sure how to do it. Is it possible for you to provide me with a snippet
of code so that I can follow it?

Thank you in advance.

Harkeerat Bedi

On Mon, Aug 23, 2010 at 5:02 AM, sridhar basam <sridhar.basam at gmail.com>wrote:

> Sorry, i don't know why you are seeing a difference between the live and
> offline trace.
> Here is something i have used in the past to look at similar things you are
> trying to get at. I expanded the connection structure to include a last
> recorded timestamp. Then use the new_packet or tcp_packet event to compare
> network_time to the last recorded time (or connection close) to do the
> printing vs the timer event.
>  Sridhar
> On Sun, Aug 22, 2010 at 6:38 PM, Vern Paxson <vern at icir.org> wrote:
>> > My question is why does BRO appear to behave differently when reading
>> from a
>> > tcpdump or an interface. Kindly advice.
>> It's not clear to me just why you're seeing the difference.  The symptoms
>> suggest that the live run is using a different packet filter (in
>> particular,
>> the default SYN/FIN/RST-only filter), and thus after the connection is
>> established, there's no input to update things further.  However, if so
>> then you should have that same effect running on the trace.
>> You could test for this by running with a filter "-f tcp", which will
>> capture all TCP packets.
>> Note that your script misuses the connection_established event.  It's not
>> meant to be generated at the script-level, and the semantics of executing
>> it again 5 seconds in the future are undefined.  (Also, timing for
>> executing
>> such scheduled events is actually driven by the arrival of traffic, so
>> that would be another potential difference between the live execution vs.
>> the trace one.  But again I don't offhand see why it would lead to
>> different
>> results.)
>>                Vern
> --
> Sridhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100830/83dc96ca/attachment.html 

More information about the Bro mailing list