[Bro] Using BRO for measuring TCP flow bandwidth

[Vern Paxson]

> Which is the main event handler in BRO that "usually" updates the
> c$duration, c$orig$size and c$resp$size variables of the connection object?

It does so on any connection_* event that it generates.  However, in between
those events, the variables are *not* updated.  (That is, their updates
are driven by the generation of the events.)

Looking at the code, it appears that the new_packet event will also spur
an update, so capturing that should suffice.

In addition, there's a connection_status_update(c: connection) event that
you can turn on by defining a handler for it, and by setting
connection_status_update_interval to a positive time interval (e.g., "1 sec").
That will then be generated periodically at the given interval.

> 2. Regarding your suggestion on my use and invocation of the
> connection_established event, I have made some changes to my policy file and
> attached the same to this mail. Can you kindly provide your feedback on
> this.

The way you structured it now looks good, modulo the consideration above
of when the variables actually get updated.  That said, just using
connection_status_update directly would be simpler.

		Vern