<span class="gmail_quote"></span>Hi, <br><br>when I run that command I get the following output (a sample):<br><br>1185209476.627097 weird: spontaneous_RST<br>1185209476.630111 weird: spontaneous_RST<br>1185209476.947233 weird: above_hole_data_without_any_acks
<br>1185209478.283928 weird: spontaneous_FIN<br>1185209478.798191 weird: above_hole_data_without_any_acks<br>1185209479.339797 weird: spontaneous_RST<br>1185209479.943993 weird: spontaneous_RST<br>1185209480.904227 weird: spontaneous_FIN
<br>1185209481.648424 weird: above_hole_data_without_any_acks<br><br>When I was talking about flow statistics, I was looking more for statistics such as total number of packets, average packet size, total bytes, total header (transport plus network layer) bytes, number of caller to callee packets, total caller
<br>to callee bytes, total caller to callee payload bytes, total caller to callee header bytes, number of callee to<br>caller packets, total callee to caller payload bytes, and total callee to caller header bytes.<br><br>
Also as an aside, do you know why there are these weird addresses in the scan.bro file because whenever I run bro -r tracefile tcp it always starts with the following lines:<br><br>/usr/local/bro/policy/scan.bro, line 92: warning: no such host:
<a href="http://j5004.inktomisearch.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">j5004.inktomisearch.com</a><br>/usr/local/bro/policy/scan.bro, line 92: warning: no such host: <a href="http://j5005.inktomisearch.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
j5005.inktomisearch.com</a><br>/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
<a href="http://j5006.inktomisearch.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">j5006.inktomisearch.com</a><br>/usr/local/bro/policy/scan.bro, line 93: warning: no such host: <a href="http://j100.inktomi.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
j100.inktomi.com</a><br>/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
<a href="http://j101.inktomi.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">j101.inktomi.com</a><br>/usr/local/bro/policy/scan.bro, line 94: warning: no such host: <a href="http://j3002.inktomi.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
j3002.inktomi.com</a><br>/usr/local/bro/policy/scan.bro, line 94: warning: no such host:
<a href="http://si3000.inktomi.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">si3000.inktomi.com</a><br>/usr/local/bro/policy/scan.bro, line 94: warning: no such host: <a href="http://si3001.inktomi.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
si3001.inktomi.com</a><br>/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
<a href="http://si3002.inktomi.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">si3002.inktomi.com</a><br>/usr/local/bro/policy/scan.bro, line 95: warning: no such host: <a href="http://si3003.inktomi.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
si3003.inktomi.com</a><br>/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
<a href="http://si4000.inktomi.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">si4000.inktomi.com</a><br>/usr/local/bro/policy/scan.bro, line 96: warning: no such host: <a href="http://si4001.inktomi.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
si4001.inktomi.com</a><br>/usr/local/bro/policy/scan.bro, line 96: warning: no such host:
<a href="http://si4002.inktomi.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">si4002.inktomi.com</a><br>/usr/local/bro/policy/scan.bro, line 96: warning: no such host: <a href="http://wm3018.inktomi.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
wm3018.inktomi.com</a><br>line 1: warning: event handlers never invoked:
<br>line 1: warning: account_tried<br><br>Thanks.<br><br>Daniel.<div><span class="e" id="q_1158bdb003a4a4d2_1"><br><br><br><div><span class="gmail_quote">On 10/10/07, <b class="gmail_sendername">Robin Sommer</b> <
<a href="mailto:robin@icir.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">robin@icir.org
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>On Wed, Oct 10, 2007 at 15:40 -0400, Danny Nechay wrote:<br><br>> I have a trace file (from using TCPdump) and I would like to know how to get
<br>> the flow statistics of this file using BRO (i.e. what would be the command<br>> line argument).<br><br>"bro -r trace tcp" should do it if you're only concerned about TCP.<br>For UDP and ICMP add "udp" and "icmp" to the command line,
<br>respectively.<br><br>Robin<br><br>--<br>Robin Sommer * Phone +1 (510) 931-5555 * <a href="mailto:robin@icir.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">robin@icir.org</a><br>ICSI/LBNL * Fax +1 (510) 666-2956 *
<a href="http://www.icir.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.icir.org
</a><br></blockquote></div><br>
</span></div>