[Bro] using Bro as traffic analyzer.

James Swaro james.swaro at gmail.com
Mon Dec 5 11:31:00 PST 2011

Correct me if I am wrong Matthias.

Bro can do most of what you are looking for out of the box. Sampling the
round-trip time of the three-way handshake is doable at scripting level.
You can get bro to output the retransmission data through the tcp_rexmit
event. It does not give detailed information about how the data was
retransmitted but will tell you how many bytes were retransmitted and how
much data was outstanding when the retransmission occurred.

That should be sufficient for what you are looking for.

If you need more detailed information, I am currently working on an
analyzer for Bro that attempts to give more detailed information about the
retransmission behavior of a TCP connection as part of on-going research.
However, It is not in a state that is ready for release.

James Swaro
