[Bro] Definition of a connection in conn.log

Navraj Singh navraj42 at gmail.com
Tue Mar 22 14:00:25 PDT 2016


I'm trying to understand how connections are formed by Bro before reporting
them to conn.log - in particular, the following questions:

1. Is it safe to assume that any given packet will be assigned to at most
one connection, and thus to at most one row in conn.log?

2. Why is it that some rows in conn.log do not have the duration field set?
I see see several row with a '-' in the duration field.

3. The bro documentation states that "For UDP and ICMP, “connections” are
to be interpreted using flow semantics (sequence of packets from a source
host/port to a destination host/port)." However, what is the exact
definition for a TCP flow? How does Bro decide which packets to include in
a connection?

4. For an ongoing 'connection', does Bro wait until the connection is over
before logging it? What if the connection is quite long in duration...won't
that cause a lag? Or does Bro automatically chop up long flows based on
some configurable limit parameter?

Basically, I'm trying to understand how Bro defines a 'connection', for the
purposes of interpreting conn.log. I've looked at the online documentation
but didn't find what I was trying to understand.

Thanks to anyone who can shed some light on this, or point me in the right
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160322/30e784c3/attachment.html 

More information about the Bro mailing list