[Bro] Traffic characteristics extraction with Bro
Robin Sommer
robin at icir.org
Tue Jan 23 20:47:16 PST 2007
On Mon, Jan 22, 2007 at 16:55 -0500, you wrote:
> At present, the characteristics I need are: mean packet size and mean
> packet inter-arrival time, all per flow.
In general, such statistics are a little bit difficult to get with
Bro because its analysis works primarily with higher abstractions of
activity, i.e., you write scripts without relying on packet
semantics.
To still get stats such us inter-arrival times there are two
options:
(i) you can indeed use the new_packet() event which you already
found yourself. Disadvantage: this is not very efficient because
script code needs to be executed for each input packet.
(ii) you add a module to Bro's core which does the required analysis
and just reports results back to script-level. Bro's stepping stone
analyzer is an example of how to do this (it does examine packet
timings). Disadvantage: you need to hack Bro's source code.
On Tue, Jan 23, 2007 at 20:09 -0500, you wrote:
> However, I DON"T know if the packet reported there is already
> "processed", i.e only valid packets for the connection are considered
> while others such as: duplicate or out of order packets are not reported
> to the handler?
The event is raised for all packets which pass some very basic
sanity checks, such as being fully captured and having correct
checksums. So, this should indeed work for you.
Hope this helps,
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list