[Bro] getting big resp_bytes in very short duration

김희철 hckim at narusec.com
Mon Mar 24 18:12:07 PDT 2014

I am running Bro 2.1 cluster with pf_ring
I am getting strange reading in a conn.log

#fields ts  uid id.orig_h   id.orig_p   id.resp_h   id.resp_p   proto
service duration    orig_bytes  resp_bytes  conn_state  local_orig
missed_bytes    history orig_pkts   orig_ip_bytes   resp_pkts
resp_ip_bytes   tunnel_parents
1386409938.786306   CKlLre3mzijeYEIf8c   63093   80  tcp http    0.008831    612 1789158751  SF  T   0
ShADadfF    8   956 6   433 (empty)
1386592764.721467   C9RQ8U1M31oXWexK59   51800   80  tcp http    0.009957    612 1482640315  SF  T   0
ShADadfF    8   956 6   433 (empty)

resp_bytes are very big but duration is very short.
I can see that resp_pkets and resp_ip_bytes are very small, is this the
reason duration is very short?

is this a bug, if not what is this mean?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140325/abf2094b/attachment.html 

More information about the Bro mailing list