[Bro] Using BRO for measuring TCP flow bandwidth

Harkeerat Bedi hsbedi at memphis.edu
Sat Aug 21 12:36:28 PDT 2010 

Anyone?

My question is why does BRO appear to behave differently when reading from a
tcpdump or an interface. Kindly advice.

Thanks,
Harkeerat Bedi


On Thu, Aug 19, 2010 at 5:26 PM, Harkeerat Bedi <hsbedi at memphis.edu> wrote:

> Hello,
>
> Thank you once again for your suggestions. I have been going through the
> Reference Manual, the conn.bro, and the methods in that file. I also went
> through some examples from the Bro 2007 workshop.
>
> I am able to obtain the flow duration and amount of data transferred as I
> want. However I am facing one issue which is explained below. Following is
> what I have done, kindly suggest.
>
> 1. I have created one policy file called "ex2e.bro" and rewritten the
> connection_established method:
>
> event connection_established(c: connection)
> {
>        local id = c$id;
>        local log_msg =
>                 fmt("%.6f %.6f %s %s %d %d %d %d ",
>                         c$start_time, c$duration, id$orig_h, id$resp_h,
>                         id$orig_p, id$resp_p, c$orig$size, c$resp$size);
>         print log_msg;
>         schedule 5 sec { connection_established(c) };
> }
>
> In the above policy, I call same method every 5 seconds and the connection
> values are printed.
>
> 2. I have one tcpdump which contains one tcp flow from 10.1.1.3 to
> 10.1.2.3. BRO and TCPDUMP run on an intermediate node which is analyzing
> this flow. This flow was started after BRO was started and was ended after
> BRO was ended.
>
> 3. I use my created policy file "ex2e.bro" on that tcpdump using the
> command:
> # sudo /.../bro -r testCapture4.dump ex2e.bro weird alarm | /.../cf
> Aug 19 13:23:21 0.001304 10.1.1.3 10.1.2.3 50191 5001 0 0
> Aug 19 13:23:21 4.986504 10.1.1.3 10.1.2.3 50191 5001 593704 0
> Aug 19 13:23:21 10.001823 10.1.1.3 10.1.2.3 50191 5001 1193176 0
> Aug 19 13:23:21 14.993030 10.1.1.3 10.1.2.3 50191 5001 1789752 0
> Aug 19 13:23:21 20.016351 10.1.1.3 10.1.2.3 50191 5001 2389224 0
> Aug 19 13:23:21 25.007562 10.1.1.3 10.1.2.3 50191 5001 2985800 0
> Aug 19 13:23:21 29.998899 10.1.1.3 10.1.2.3 50191 5001 3582376 0
> Aug 19 13:23:21 35.014104 10.1.1.3 10.1.2.3 50191 5001 4181848 0
> Aug 19 13:23:21 40.005321 10.1.1.3 10.1.2.3 50191 5001 4778424 0
> Aug 19 13:23:21 45.020655 10.1.1.3 10.1.2.3 50191 5001 5377896 0
> Aug 19 13:23:21 50.012500 10.1.1.3 10.1.2.3 50191 5001 5974472 0
> Aug 19 13:23:21 55.027839 10.1.1.3 10.1.2.3 50191 5001 6573944 0
> Aug 19 13:23:21 58.371315 10.1.1.3 10.1.2.3 50191 5001 6973592 0
>
> As we can see, the duration of the connection is updated every 5 seconds
> (as the method is called every 5 seconds.)
> Also, the amount of originator's bytes sent are incremented accordingly .
> This is what I wanted.
>
> 4. However, when I run the same command on actual network traffic, that is:
> $ sudo /.../bro -i em2 ex2e.bro weird alarm
>
> I do not see similar kind of output. Following is what I observe:
> pcap bufsize = 32768
> listening on em2
> 1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
> 1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
> 1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
> 1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
> 1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
> 1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
> 1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
> 1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
> 1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
> 1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
> 1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
> 1282249401.443512 0.001360 10.1.1.3 10.1.2.3 50191 5001 0 0
>
> As we can see, both the duration and originator's bytes sent are not
> incremented.
>
> Shouldn't the duration and the originator's bytes sent increment the same
> way as it did on the tcpdump because I am using the same commands? Am I
> missing something?
>
> Also is this approach of modifying the connection_established() correct? I
> went with this approach as it worked on the tcpdump. I am interested in
> obtaining the duration of an ongoing tcp flow, and the amount of bytes
> transferred over an actual network so far in a periodic manner before the
> connection is closed.
>
> Kindly provide your suggestions.
>
> Thank you,
>
> Regards,
> Harkeerat Bedi
>
>
>
> On Thu, Aug 12, 2010 at 6:03 PM, Harkeerat Bedi <hsbedi at memphis.edu>wrote:
>
>> Thank you Sridhar. I think you what you mentioned is kind of what I am
>> trying to do. Allow me to look into the conn.bro file and I will update here
>> accordingly.
>>
>> Thank you once again.
>>
>> Regards,
>> Harkeerat Bedi
>>
>>
>>
>> On Thu, Aug 12, 2010 at 12:19 PM, sridhar basam <sridhar.basam at gmail.com>wrote:
>>
>>> If you are looking to get averages over the tcp session, look at the
>>> conn.bro file. It records enough information for you to derive the average
>>> throughput in either direction over the life of the connection. You can
>>> change the routine "record_connection" to calculate the avg. throughput in
>>> each direction.
>>>
>>>  sridhar
>>>
>>>
>>> On Wed, Aug 11, 2010 at 11:18 PM, Harkeerat Bedi <hsbedi at memphis.edu>wrote:
>>>
>>>> Hello,
>>>>
>>>> I am a beginner to BRO IDS and am currently using it for monitoring one
>>>> interface of a FreeBSD machine over an experiment network.
>>>>
>>>> Part of my project now requires to also capture the network bandwidth
>>>> being utilized by a flow that passes thorough the BRO monitored  interface.
>>>> By flow we mean, a source-destination IP pair.
>>>>
>>>> Is this kind of measurement possible in BRO? If not, is there any add-on
>>>> which can be used to accomplish the same task using BRO?
>>>>
>>>> Kindly suggest and thanks in advance.
>>>>
>>>> Regards,
>>>> Harkeerat Bedi
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>
>>>
>>>
>>> --
>>> Sridhar
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100821/6bb73335/attachment.html

More information about the Bro mailing list