[Bro-Dev] Per connection byte and packet counting

[Gregor Maier]

On 12/14/10 21:06 , Seth Hall wrote:
> The only question I have is what is the $history field used for?  This is second time I've seen it referred to today, but I have no idea what it's for. :)

It records the state history of (TCP) connections. When
record_state_history=T it will add an additional column to conn.log.
It's probably mostly used for measurements rather than live security
deployment. The "history" is a string of letters:

-8<------
s == a SYN w/o the ACK bit set
h == a SYN+ACK ("handshake")
a == a pure ACK
d == packet with payload ("data")
f == packet with FIN bit set
r == packet with RST bit set

I also think there is a "c" which means we saw a packet with a bad
checksum and "i" for "inconsistent" packets---basically just weird crap
like both SYN and RST bits lit up.

If the code is in upper case it means the event comes from the
originator and lower case then means the responder.

Also, there is compression.  We only record one "d" in each direction,
for instance.  I.e., we just record that data went in that direction.
This history is not meant to encode how much data that happened to be.
->8------

cu
Gregor
-- 
Gregor Maier                                             gregor at icir.org
Int. Computer Science Institute (ICSI)          gregor at icsi.berkeley.edu
1947 Center St., Ste. 600                    http://www.icir.org/gregor/
Berkeley, CA 94704
USA