[Bro] getting big resp_bytes in very short duration

Siwek, Jonathan Luke jsiwek at illinois.edu
Tue Mar 25 07:47:40 PDT 2014

On Mar 24, 2014, at 8:12 PM, 김희철 <hckim at narusec.com> wrote:

> resp_bytes are very big but duration is very short.
> is this a bug, if not what is this mean? 

{orig,resp}_bytes are derived from TCP sequence numbers rather than from the sizes of actual packet payloads that Bro processes so it’s somewhat more likely to be misreported in corner cases.  However, there’s been at least three changes/fixes since Bro 2.1 that improve how this field is reported, so you may want to try the latest development version of Bro from git to determine whether this is a bug that’s been fixed.

- Jon

More information about the Bro mailing list