[Bro] count connection bytes

Seth Hall seth at icir.org
Thu Jan 2 09:21:10 PST 2014

On Dec 23, 2013, at 4:26 PM, "Kellogg, Brian D (OLN)" <bkellogg at dresser-rand.com> wrote:

> event connection_finished(c:connection)
>         {
>         print c$orig$num_bytes_ip;
>         print c$resp$num_bytes_ip;
>         }
> I'm probably missing something obvious but it is escaping me.  thanks

You probably want to use the connection_state_remove event instead as it indicates when a connection is expunged from memory.  connection_finished has some extra context to it that you may not care about.

Also, the num_bytes_ip field is a per-packet field and includes the size of the IP header on down (tcp/udp + payload typically).  If you are looking for content bytes you will want c$orig$size which will show you the size of the reassembled TCP contents in the case of TCP.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140102/297a1ab3/attachment.bin 

More information about the Bro mailing list