[Bro] Fwd: Flow Statistics in BRO
Robin Sommer
robin at icir.org
Wed Oct 10 21:02:46 PDT 2007
(Got this mail in private first; here's a copy of my reply to the
list.)
On Wed, Oct 10, 2007 at 17:38 -0400, you wrote:
> 1185209481.648424 weird: above_hole_data_without_any_acks
You can actually just ignore these messages, or load weird.bro which
sends them to weird.log.
> When I was talking about flow statistics, I was looking more for statistics
> such as total number of packets, average packet size, total bytes, total
> header
Have you looked into conn.log? Bro doesn't count packets per flow
but the rest of the information you're looking for should be in
there. (If I understand you correctly that you want *per-flow*
statistics and not an overall summary of, e.g., bytes in the trace).
> Also as an aside, do you know why there are these weird addresses in the
> scan.bro file because whenever I run bro -r tracefile tcp it always starts
> with the following lines:
They are an relict from the past when these hosts still existed, to
suppress reporting them as scanners. You can simply remove them from
the scan.bro to get rid the warning. Iirc this has alreaby been done
in the current development version.
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list