[Bro] TCP Connection duration = ?
Mike Muratet
mike.muratet at torchtechnologies.com
Wed Sep 15 15:11:12 PDT 2004
Greetings
Using the tcp analyzer (tcp.bro) on a tcpdump file collected over 30 days, I
see many instances where the connection duration is '?'. I've looked at the
manual, and by the definition of 'duration' I am led to believe that a ?
indicates a record with an end event that never received a begin event. I'm
still trying to find the calculation in the source, but does this make
sense?
Thanks
Mike
More information about the Bro
mailing list