[Bro] TCP Connection duration = ?
Christian Kreibich
christian at whoop.org
Thu Sep 16 11:01:44 PDT 2004
Hi Mike,
On Wed, 2004-09-15 at 23:11, Mike Muratet wrote:
> Greetings
>
> Using the tcp analyzer (tcp.bro) on a tcpdump file collected over 30 days, I
> see many instances where the connection duration is '?'. I've looked at the
> manual, and by the definition of 'duration' I am led to believe that a ?
> indicates a record with an end event that never received a begin event. I'm
> still trying to find the calculation in the source, but does this make
> sense?
I think the spot to look at is in policy/conn.bro, around line 204. If
the log entry is written out at a time where none of the endpoints have
closed the connection, the duration cannot yet be known, and hence is
written out as "?".
Hope this helps,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list