[Bro] TCP Flow Packet Counts

Bryce Boe bboe at cs.ucsb.edu
Wed Nov 3 13:49:02 PDT 2010


I'm trying to write a simple bro policy script that uses the default
TCP policy output format, with the addition of packet counts per flow
in each direction. For that I'm actually modifying the analy.bro
script, however I've noticed that with my sample trace, the originator
packet count is almost always zero. How can I get the endpoint_status
to accurately reflect the number of packets sent in both directions
for the flow? Also am I safe to assume that the number of bytes sent
in each direction are correct in the endpoint structure?

I tried to trace this problem down a bit and determined that when
Analyzer::DeliverPacket calls the class's DeliverPacket method, only a
fraction of the time does it go to TCPStats_Analyzer::DeliverPacket
method whereas the remainder of the time the
TCP_Analyzer::DeliverPacket method is called. Thus this leads me to
believe that many of the packets don't have the correct Analyzer class
(TCPStats_Analyzer) associated with it, however I am not sure how to
fix this problem. Any help would be greatly appreciated.

Bryce Boe

More information about the Bro mailing list