[Bro] number of connections to the same port in 100 connections

Azoff, Justin S jazoff at illinois.edu
Thu Jun 30 11:03:21 PDT 2016

> On Jun 30, 2016, at 1:30 PM, Salman, Tara <tara.salman at wustl.edu> wrote:
> Hi everyone, 
> I am trying to find the number of connections having the same source ip and destination port in the last 100 connection using bro commands 
> I managed to get the number in all connections using: 
> bro-cut id.orig_h id.orgi_p < conn.log | sort| uniq -c| sort -rn  
> which is working fine but i need to modify this to include only the last 100 connections in the log file. is there a way to do that ? 
> thanks in advance 

Give this a try:

(head -n 8 conn.log ;tail -n 100 conn.log ) | bro-cut id.orig_h id.orig_p  | sort| uniq -c| sort -rn

you need the first 8 lines for the header so bro-cut works.
- Justin Azoff

More information about the Bro mailing list