[Bro] Using BRO for measuring TCP flow bandwidth
vern at icir.org
Mon Aug 30 15:52:01 PDT 2010
> Which is the main event handler in BRO that "usually" updates the
> c$duration, c$orig$size and c$resp$size variables of the connection object?
It does so on any connection_* event that it generates. However, in between
those events, the variables are *not* updated. (That is, their updates
are driven by the generation of the events.)
Looking at the code, it appears that the new_packet event will also spur
an update, so capturing that should suffice.
In addition, there's a connection_status_update(c: connection) event that
you can turn on by defining a handler for it, and by setting
connection_status_update_interval to a positive time interval (e.g., "1 sec").
That will then be generated periodically at the given interval.
> 2. Regarding your suggestion on my use and invocation of the
> connection_established event, I have made some changes to my policy file and
> attached the same to this mail. Can you kindly provide your feedback on
The way you structured it now looks good, modulo the consideration above
of when the variables actually get updated. That said, just using
connection_status_update directly would be simpler.
More information about the Bro