[Bro] wrong size computation
Vincenzo Falletta
falletta at ftw.at
Mon Nov 28 10:34:54 PST 2005
Hi folks,
As regards the way bro deals with the number of bytes transferred for
each connection, it seems that bro DOES NOT keep a variable in which
incrementally stores the sum of each packet size for all the packets
involved in that very connection, but instead does a certain computation
(i wonder how...) involving only the first and the last packet in the
connection... Am I correct?
I'm asking this question because I've found something very strange.
In bro's conn.log file there are lines like this:
Dec 1 00:22:53 1.058870 A B http 49331 80 tcp 886477697 ? RSTOS0 L
(yes it's correct, 800MB in 1 second) but if I look at the trace, this
is what I see:
A B
49331 --> 80 (SYN) Seq=0,Ack=0
49331 <-- 80 (ACK) Seq=0,Ack=0
49331 --> 80 (RST) Seq=0,Ack=188164531
(Only 3 packets transferred...)
Of course there's some bug in these hosts, but bro should not be
misleaded in computing the amount of bytes transferred inside a
connection. Could someone explain me what's happening here?
Best regards,
Vincenzo
More information about the Bro
mailing list