[Bro-Dev] Per connection byte and packet counting
Seth Hall
seth at icir.org
Wed Dec 8 12:46:26 PST 2010
On Dec 6, 2010, at 5:31 PM, Gregor Maier wrote:
> I've played around with adding support to count packets and (IP-)bytes
> per connection and direction.
Awesome!
> b) implement it as a child-analyzer to the transport analyzers and add
> this child-analyzer to the initial analyzer tree. One can configure
> whether to enable/disable this size-analyzer via policy scripts. I've
> done that too.
>
> Advantage: can be switched on and off. No overhead when off.
I like this (option b).
> * Slightly slower due to calls to an additional analyzer (and
> virtualized method lookups)
I think the fact that it's slightly slower is mitigated by it being optional.
> * Other ideas to make the counters available to the policy script.
Couldn't it just be in the connection record? Maybe you could add the extra data to the endpoint record? Making it look something like this...
type endpoint: record {
size: count;
state: count;
counted_size: count &optional;
counted_packets: count &optional;
};
That should be accessible from the core (since size and state are currently being filled in from the core) and it makes it available at arbitrary times since it's in the connection record.
> * Do you guys think it's important to have access to the counters at
> any time, or is it sufficient to just get them when the connection
> ends?
Yes, I would really like to access these counters at any time. I would even say it's a requirement for this feature (for me at least).
.Seth
More information about the bro-dev
mailing list