[Bro-Dev] trace-summary question
Robin Sommer
robin at icir.org
Sun Aug 7 21:33:58 PDT 2011
On Fri, Aug 05, 2011 at 11:30 -0700, you wrote:
> Just curious: is there a good reason for '700'?
It's "good enough". :-)
The problem here is that Bro sometimes reports outrageously high
volume: it computes the volume from TCP sequence numbers and gets
utterly confused if they wrap around. So anything that looks like an
unrealistic bandwidth will do.
(Unfortunately, wrap around is more likely to occur for larger
connections, and by excluding those we may miss actually a signficiant
chunk for the summary. But there's not much to do about that with a
given summary; garbage in, garbage out. :-)
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list