[Bro] http response encoded length ?

Seth Hall seth at icir.org
Sat May 19 21:48:45 PDT 2012

On May 16, 2012, at 4:56 PM, Dalton Porter wrote:

> One of the requirements for my project is to measure the bytes sent and received on the wire.  I'm thinking there must be a counter -  maybe in conn that could be used for this.resp_ip_bytes  looks promising, but I have not figured out how to use it yet.

Ah!  Ok, that's available but you have to be aware of what you are measuring.  In your conn.log there are several fields that represent the data you're looking for.

orig_bytes, resp_bytes
These are payload bytes for data sent by the originator and responder.  

orig_ip_bytes, resp_ip_bytes
These are byte counts including the IP header.  If you are looking for the total amount of data being sent across your border to the "internet", then this is likely the measurement you want.

These fields available several ways, one easy way that is a nice analog to log processing is to access it through the logging framework event as the data is being logged.

event Conn::log_conn(rec: Conn::Info)
	print rec$orig_ip_bytes + rec$resp_ip_bytes;


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list