[Bro] TCP Flow Packet Counts

Gregor Maier gregor at icir.org
Thu Nov 4 14:06:20 PDT 2010


The current version of the analy Analyzer isn't working for this.
Only packets containing TCP payload are passed to the stats analyzer.

I have a branch that, among other things, also correctly tracks packets
and bytes on the wire (Bro's conn.log sizes are based on sequence
numbers). I can sent you a pointer to the branch if you want to. Note,
however, that my branch tracks a bunch of other things per connection
(including window size, handshake TTL, TCP options, etc., so it need
more state per connection.
OTOH, I was planning on integrating just the size counter into Bro
anyway. If you are interested in that, I can move that topic up on my
priority list....


On 11/3/10 13:49 , Bryce Boe wrote:
> Hi,
> I'm trying to write a simple bro policy script that uses the default
> TCP policy output format, with the addition of packet counts per flow
> in each direction. For that I'm actually modifying the analy.bro
> script, however I've noticed that with my sample trace, the originator
> packet count is almost always zero. How can I get the endpoint_status
> to accurately reflect the number of packets sent in both directions
> for the flow? Also am I safe to assume that the number of bytes sent
> in each direction are correct in the endpoint structure?

> I tried to trace this problem down a bit and determined that when
> Analyzer::DeliverPacket calls the class's DeliverPacket method, only a
> fraction of the time does it go to TCPStats_Analyzer::DeliverPacket
> method whereas the remainder of the time the
> TCP_Analyzer::DeliverPacket method is called. Thus this leads me to
> believe that many of the packets don't have the correct Analyzer class
> (TCPStats_Analyzer) associated with it, however I am not sure how to
> fix this problem. Any help would be greatly appreciated.

Gregor Maier                                             gregor at icir.org
Int. Computer Science Institute (ICSI)          gregor at icsi.berkeley.edu
1947 Center St., Ste. 600                    http://www.icir.org/gregor/
Berkeley, CA 94704

More information about the Bro mailing list