[Bro] minor documentation error

Castle, Shane scastle at bouldercounty.org
Mon Dec 31 09:33:18 PST 2012

I found another issue with this script. The Unix/POSIX sort command will not sort IP addresses correctly unless it is told to explicitly: 
"sort -t '.' -k 1,1n -k 2,2n -k 3,3n -k 4,4n". This defect causes the script to lie about who is using how many bytes.

If you want a nice example, just access a reasonably busy Bro system, go to one of the compressed log directories, and try:

"zcat conn.*.gz | bro-cut id.orig_h orig_bytes | sort | less"

You will see it sorting addresses like and the same. This causes the subsequent awk script to fail rather badly.

And that brings up another point: many times the orig_bytes field will be nonnumeric, containing a "-" or a blank instead of a number. I don't know how the awk script deals with these, offhand. I am trying to find out, and create a true toptalkers script that really works.

Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Liam Randall
Sent: Friday, December 28, 2012 18:11
To: bro at bro-ids.org
Subject: [Bro] minor documentation error

Came up on the SO list.




Solution for:


What are the top 10 hosts (originators) that send the most traffic?


The final sort should be "sort-rnk 2"


Credits Shane Castle


Happy Holidays All,



More information about the Bro mailing list