[Bro-Dev] Bro byte and packet counting in devel

Gregor Maier gregor at icir.org
Sat Mar 5 10:28:49 PST 2011


On 3/4/11 21:07 , Seth Hall wrote:
> 
> On Feb 25, 2011, at 11:51 AM, Gregor Maier wrote:
> 
>> the analyzer to count bytes and packets as seen on the wire per
>> connection (endpoint) is now in devel. If enabled the counters are part
>> of the connection record (actually the endpoint records) and can thus be
>> access by any event that gets a connection as argument.
> 
> 
> Thanks for doing the work on this, I've been wanting this functionality built into Bro for a long time.  Is there any plan for getting this integrated into master?  I see that there isn't a merge request yet, are you waiting for more testing?

see Robin's mail

> It just came up for me because I'm rewriting the conn.bro script and I want to include that data if the analyzer is enabled as a replacement for the normal c$orig$size and c$resp$size.

I've actually added the counters as additional columns in conn.bro
(there's one flag to enable the analyzer and another one to enable
logging in conn.log)

You might also want to consider that osize and rsize try to count the
logical number of payload bytes whereas my analyzer counts the number of
IP bytes so I don't know whether replacing the osize and rsize makes
sense (since it breaks behavior and given a conn.log file, it's hard to
know which format it's in).
OTOH, I think that people new to bro often get confused as to what osize
and rsize are (e.g., that can be heavily inflated and need sanity
checking).


(I don't have a preference to do it one way or the other, btw)


cu
gregor
-- 
Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
http://www.icir.org/gregor/


More information about the bro-dev mailing list