[Bro] TCP Connection duration = ?

Mike Muratet mike.muratet at torchtechnologies.com
Wed Sep 15 15:11:12 PDT 2004


Greetings

Using the tcp analyzer (tcp.bro) on a tcpdump file collected over 30 days, I 
see many instances where the connection duration is '?'. I've looked at the 
manual, and by the definition of 'duration' I am led to believe that a ? 
indicates a record with an end event that never received a begin event. I'm 
still trying to find the calculation in the source, but does this make 
sense?

Thanks

Mike 




More information about the Bro mailing list