[Bro] How to count concurrent connections

[Bernhard Ager]

Hi,

I am currently trying to count concurrent connections. I'd like to use
a script like this:

    redef ignore_checksums = T;
    redef capture_filters += { ["tcp-setup"] = "tcp" };

    global conncounter_file = open_log_file ("conncounter");
    global total_conn_count = 0;
    global concurrent_conn_count = 0;
    
    event connection_established (c: connection) {
            ++total_conn_count;
            ++concurrent_conn_count;
            if (total_conn_count % 1000 == 0) {
                    print conncounter_file, fmt ("%.06f total: %08d  max concurrent: %d",
                          network_time(), total_conn_count, concurrent_conn_count);
            }
    }
    
    event connection_state_removed (c: connection) {
            --concurrent_conn_count;
    }

However, the numbers I get soon become negative resp. I get a runtime
error - counter negative. A quick check showed me that
connection_state_removed gets thrown up to four times per connection
in only the first few minutes of my trace. 

I then tried to replace connection_state_removed() with
connection_reset() and connection_finished(). However I am not
convinced this is enough because even after more then 90 minutes trace
time concurrent_conn_count is still increasing significantly (~1300
per minute on a 1 Gig uplink). 

So my question now is: which events are thrown when exactly? Do I have
to track the established connections in the scripting layer? Is there
a way to just query for the size of the bro-internal connection
tracker?

BTW: I am using a header trace. In my opinion this shouldn't make a
difference, but maybe ...


Thanks for help!
  Bernhard
-- 
Technische Universität Berlin
An-Institut Deutsche Telekom Laboratories
FG INET, Research Group Anja Feldmann
Sekr. TEL 4
Ernst-Reuter-Platz 7
D-10587 Berlin