[Bro] using Bro as traffic analyzer.
xydarcher at 163.com
Mon Dec 5 03:33:17 PST 2011
>> I want to match tcp handshake pairs and record the intervals between
>> each SYN and SYN-ACK pairs with their arrival time. At the same time,
>> roughly packet loss rate (vs different timescales) should be calculated
>> by tcp retransmission rate. It is a statistical analysis on network
>> traffic that would be processed by .bro files i think. some of them
>> are similar with functions already existed. Would you please give me
>> some notes on which files i should start with?
>Yes, you're right. This sort of analysis can be entirely done at the
>scripting layer, i.e., it only involves *.bro scripts.
>Bro reassembles the full TCP byte stream. When you deal with connection
>data, duplicates/retransmission are already removed. If you want to
>compute round-trip times at the packet level, you can write a handler
>for the events new_connection (which is generated for every new
>SYN packet) and connection_established (which is generated for a
>successful TCP handshake after a SYN-ACK).
>For retransmissions, have a look at the events: rexmit_inconsistency,
>content_gap, and gap_report. Unfortunately I cannot provide more
>detailed information other than pointing you to our ongoing
>documentation effort in the git repository:
> git clone git://git.bro-ids.org/bro.git
> git checkout topic/script-reference
> less src/event.bif
>Maybe others can chime in and give you further guidance.
>(Also, to measure system/NIC capture loss, there is
>> btw: I read the document and find that all C/C++ code is designed
>> for decoding packets. bro files take charge in statistal or general
>> processing. Is it right? Any general pictures were provided in bro?
>That's correct. Packet "decoding" is done at the Bro core. Bro
>reassembles the TCP byte stream and presents it as a connection to the
>user. You may find our workshop materials helpful to better understand
>the architecture of Bro: http://www.bro-ids.org/bro-workshop-2011
Thank you very much. It is very useful!
More information about the Bro