[Bro] Traffic Volume Calculation Using Bro's Connection Log
seth at icir.org
Thu Nov 7 11:16:33 PST 2013
On Nov 7, 2013, at 1:48 PM, Naveed Anwar <hunarame at gmail.com> wrote:
> I thought I could run Bro on each pcap file, and then sum the orig_bytes and resp_bytes columns in conn.log to get the total volume of traffic for one host. However when I run Bro on a 250 MB pcap file, the sum of these two columns is only 107 MB approximately, and not 250 MB as I expected.
It's a matter of overhead and unmeasured data. The orig_bytes and resp_bytes is only counting payload bytes so all of the headers (i.e. tcp, udp, icmp, ip, ethernet, etc) are not counted. Also, if you have any packet types that we don't support those won't be counted either. There is also some amount of overhead inherent in PCAP.
> Is there any alternate method for calculating the volume of traffic generated by one host?
You are going to need to be more specific about what you are looking for.
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131107/d6fb8d4e/attachment.bin
More information about the Bro