[Bro] Using BRO for measuring TCP flow bandwidth

Harkeerat Bedi hsbedi at memphis.edu
Thu Aug 19 15:26:01 PDT 2010


Hello,

Thank you once again for your suggestions. I have been going through the
Reference Manual, the conn.bro, and the methods in that file. I also went
through some examples from the Bro 2007 workshop.

I am able to obtain the flow duration and amount of data transferred as I
want. However I am facing one issue which is explained below. Following is
what I have done, kindly suggest.

1. I have created one policy file called "ex2e.bro" and rewritten the
connection_established method:

event connection_established(c: connection)
{
       local id = c$id;
       local log_msg =
                fmt("%.6f %.6f %s %s %d %d %d %d ",
                        c$start_time, c$duration, id$orig_h, id$resp_h,
                        id$orig_p, id$resp_p, c$orig$size, c$resp$size);
        print log_msg;
        schedule 5 sec { connection_established(c) };
}

In the above policy, I call same method every 5 seconds and the connection
values are printed.

2. I have one tcpdump which contains one tcp flow from 10.1.1.3 to 10.1.2.3.
BRO and TCPDUMP run on an intermediate node which is analyzing this
flow. This flow was started after BRO was started and was ended after BRO
was ended.

3. I use my created policy file "ex2e.bro" on that tcpdump using the
command:
# sudo /.../bro -r testCapture4.dump ex2e.bro weird alarm | /.../cf
Aug 19 13:23:21 0.001304 10.1.1.3 10.1.2.3 50191 5001 0 0
Aug 19 13:23:21 4.986504 10.1.1.3 10.1.2.3 50191 5001 593704 0
Aug 19 13:23:21 10.001823 10.1.1.3 10.1.2.3 50191 5001 1193176 0
Aug 19 13:23:21 14.993030 10.1.1.3 10.1.2.3 50191 5001 1789752 0
Aug 19 13:23:21 20.016351 10.1.1.3 10.1.2.3 50191 5001 2389224 0
Aug 19 13:23:21 25.007562 10.1.1.3 10.1.2.3 50191 5001 2985800 0
Aug 19 13:23:21 29.998899 10.1.1.3 10.1.2.3 50191 5001 3582376 0
Aug 19 13:23:21 35.014104 10.1.1.3 10.1.2.3 50191 5001 4181848 0
Aug 19 13:23:21 40.005321 10.1.1.3 10.1.2.3 50191 5001 4778424 0
Aug 19 13:23:21 45.020655 10.1.1.3 10.1.2.3 50191 5001 5377896 0
Aug 19 13:23:21 50.012500 10.1.1.3 10.1.2.3 50191 5001 5974472 0
Aug 19 13:23:21 55.027839 10.1.1.3 10.1.2.3 50191 5001 6573944 0
Aug 19 13:23:21 58.371315 10.1.1.3 10.1.2.3 50191 5001 6973592 0

As we can see, the duration of the connection is updated every 5 seconds (as
the method is called every 5 seconds.)
Also, the amount of originator's bytes sent are incremented accordingly .
This is what I wanted.

4. However, when I run the same command on actual network traffic, that is:
$ sudo /.../bro -i em2 ex2e.bro weird alarm

I do not see similar kind of output. Following is what I observe:
pcap bufsize = 32768
listening on em2
1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0

As we can see, both the duration and originator's bytes sent are not
incremented.

Shouldn't the duration and the originator's bytes sent increment the same
way as it did on the tcpdump because I am using the same commands? Am I
missing something?

Also is this approach of modifying the connection_established() correct? I
went with this approach as it worked on the tcpdump. I am interested in
obtaining the duration of an ongoing tcp flow, and the amount of bytes
transferred over an actual network so far in a periodic manner before the
connection is closed.

Kindly provide your suggestions.

Thank you,

Regards,
Harkeerat Bedi


On Thu, Aug 12, 2010 at 6:03 PM, Harkeerat Bedi <hsbedi at memphis.edu> wrote:

> Thank you Sridhar. I think you what you mentioned is kind of what I am
> trying to do. Allow me to look into the conn.bro file and I will update here
> accordingly.
>
> Thank you once again.
>
> Regards,
> Harkeerat Bedi
>
>
>
> On Thu, Aug 12, 2010 at 12:19 PM, sridhar basam <sridhar.basam at gmail.com>wrote:
>
>> If you are looking to get averages over the tcp session, look at the
>> conn.bro file. It records enough information for you to derive the average
>> throughput in either direction over the life of the connection. You can
>> change the routine "record_connection" to calculate the avg. throughput in
>> each direction.
>>
>>  sridhar
>>
>>
>> On Wed, Aug 11, 2010 at 11:18 PM, Harkeerat Bedi <hsbedi at memphis.edu>wrote:
>>
>>> Hello,
>>>
>>> I am a beginner to BRO IDS and am currently using it for monitoring one
>>> interface of a FreeBSD machine over an experiment network.
>>>
>>> Part of my project now requires to also capture the network bandwidth
>>> being utilized by a flow that passes thorough the BRO monitored  interface.
>>> By flow we mean, a source-destination IP pair.
>>>
>>> Is this kind of measurement possible in BRO? If not, is there any add-on
>>> which can be used to accomplish the same task using BRO?
>>>
>>> Kindly suggest and thanks in advance.
>>>
>>> Regards,
>>> Harkeerat Bedi
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>>
>> --
>> Sridhar
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100819/2b08d854/attachment.html 


More information about the Bro mailing list