[Bro-Dev] Bro byte and packet counting in devel

Seth Hall seth at icir.org
Mon Mar 7 06:54:49 PST 2011

On Mar 5, 2011, at 1:28 PM, Gregor Maier wrote:

>> It just came up for me because I'm rewriting the conn.bro script and I want to include that data if the analyzer is enabled as a replacement for the normal c$orig$size and c$resp$size.
> I've actually added the counters as additional columns in conn.bro
> (there's one flag to enable the analyzer and another one to enable
> logging in conn.log)

I'm reworking a lot of the analyzer companion scripts now (including conn.bro) and changing them to use the logging framework.  I may make it an option in the new conn.bro script too.  It should be pretty straightforward, especially since we've been working on giving the logging framework the specific capability for doing record extension to do this sort of thing.

> You might also want to consider that osize and rsize try to count the
> logical number of payload bytes whereas my analyzer counts the number of
> IP bytes 

Oh, good point.  That's definitely something to think about.

> OTOH, I think that people new to bro often get confused as to what osize
> and rsize are (e.g., that can be heavily inflated and need sanity
> checking).

I was confused by that for a while.  It was weird for a while since I came from netflow analysis where you can pretty reliably trust the byte counts once you put all of the related flows back together.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list