[Bro] Using BRO for measuring TCP flow bandwidth

Harkeerat Bedi hsbedi at memphis.edu
Mon Aug 30 22:48:23 PDT 2010 

On Mon, Aug 30, 2010 at 5:42 PM, Vern Paxson <vern at icir.org> wrote:

> > My previous experiment setup was as follows.
> >
> > Setup1:
> > Node1 (Client) <------>   Node2 (running BRO) < ------ > Node3 (Server)
>
> If on Node2 instead of running Bro you capture packets with tcpdump, does
> Bro run correctly on the resulting trace?


1. Yes. The command that I use is:
$ sudo /usr/local/.../bin/bro -r ../testCapture6.dump ex2e.bro

Task: I am ftp'ing one file from Node 1 to Node3.

Snippet of output:
10.1.2.3 10.1.1.3 20 57713 bitrate: 117337.34, duration: 3.011079, size: 0
353312
10.1.1.3 10.1.2.3 43580 21 bitrate: 64.74, duration: 6.889347, size: 105 446
10.1.2.3 10.1.1.3 20 57713 bitrate: 117722.29, duration: 4.022144, size: 0
473496
10.1.1.3 10.1.2.3 43580 21 bitrate: 64.74, duration: 6.889347, size: 105 446
10.1.2.3 10.1.1.3 20 57713 bitrate: 117969.47, duration: 5.020214, size: 0
592232
10.1.1.3 10.1.2.3 43580 21 bitrate: 64.74, duration: 6.889347, size: 105 446
10.1.2.3 10.1.1.3 20 57713 bitrate: 118139.81, duration: 6.030279, size: 0
712416

Notice the increase in size and duration every one second. This is as
expected.

2. When I run the following command (that is reading from an interface
"em2"):
$ sudo /usr/local/.../bin/bro -i em2 ex2e.bro

Task: Same as before (I am ftp'ing one file from Node 1 to Node3).

Snippet of output observed:
10.1.2.3 10.1.1.3 20 47271 bitrate: 0.00, duration: 0.003685, size: 0 0
10.1.1.3 10.1.2.3 36270 21 bitrate: 0.00, duration: 0.001420, size: 0 0
10.1.2.3 10.1.1.3 20 47271 bitrate: 0.00, duration: 0.003685, size: 0 0
10.1.1.3 10.1.2.3 36270 21 bitrate: 0.00, duration: 0.001420, size: 0 0
10.1.2.3 10.1.1.3 20 47271 bitrate: 0.00, duration: 0.003685, size: 0 0
10.1.1.3 10.1.2.3 36270 21 bitrate: 0.00, duration: 0.001420, size: 0 0
10.1.2.3 10.1.1.3 20 47271 bitrate: 0.00, duration: 0.003685, size: 0 0
10.1.1.3 10.1.2.3 36270 21 bitrate: 0.00, duration: 0.001420, size: 0 0
1283232336.474291 8.932614 10.1.2.3 10.1.1.3 20 47271 0 1052696 - TCP_CLOSED

Notice that size and duration do not increase every second. But when I stop
the file transfer, I see updated values.

3. One more thing I noticed is that:
When I run my policy file along with TCP and FTP analyzers on the live
interface using below command.
Command:
$ sudo /usr/local/.../bin/bro -i em2 ex2e.bro tcp ftp

Task: Same as before (I am ftp'ing one file from Node 1 to Node3).

I see the following output:
Snippet:

1283232724.432981 0.001834 10.1.1.3 10.1.2.3 53747 21 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 0.00, duration: 0.001834, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 10608.46, duration: 0.007824, size: 0 83
10.1.1.3 10.1.2.3 53747 21 bitrate: 10608.46, duration: 0.007824, size: 0 83
10.1.1.3 10.1.2.3 53747 21 bitrate: 63.43, duration: 2.222891, size: 16 141
10.1.1.3 10.1.2.3 53747 21 bitrate: 72.37, duration: 3.150419, size: 29 228
10.1.1.3 10.1.2.3 53747 21 bitrate: 72.37, duration: 3.150419, size: 29 228
10.1.1.3 10.1.2.3 53747 21 bitrate: 41.28, duration: 6.007643, size: 37 248
1283232730.452595 0.003124 10.1.2.3 10.1.1.3 20 40035 0 0
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 56.27, duration: 6.024612, size: 76 339
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 56.27, duration: 6.024612, size: 76 339
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 56.27, duration: 6.024612, size: 76 339
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 56.27, duration: 6.024612, size: 76 339
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 56.27, duration: 6.024612, size: 76 339
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 56.27, duration: 6.024612, size: 76 339
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 31.48, duration: 12.549360, size: 76 395
1283232730.452595 6.530739 10.1.2.3 10.1.1.3 20 40035 0 770336 - TCP_CLOSED
10.1.1.3 10.1.2.3 53747 21 bitrate: 31.48, duration: 12.549360, size: 76 395
10.1.1.3 10.1.2.3 53747 21 bitrate: 31.48, duration: 12.549360, size: 76 395
1283232724.432981 15.582105 10.1.1.3 10.1.2.3 53747 21 82 409 - TCP_CLOSED

Notice the duration and size variables of the control connection (port 21)
update every time I enter a new ftp command. (e.g. ls -  to list the files
in that remote directory). This did not happen earlier - when I did not use
TCP and FTP analyzers. And when I stop the transfer and close the
connection, I see the total duration and size.

I think that I am missing some event handlers but I cannot figure out which
ones. I even tried running BRO with "brolite"  (which loads many of the
standard analyzers) along with my policy file, but in vain.

(Perhaps this is how you're
> already capturing the traffic that it works correctly on, but I thought
> of asking because on some systems packet capture for local traffic is
> incomplete, and in particular lacks locally sent packets.)
>
> What OS's are the Nodes running?
>

Node 2 and 3 are FreeBSD 7.2
Node 1 is Ubuntu 10.04

>
>                Vern
>

Thank you.
Harkeerat Bedi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100831/b44bf452/attachment.html

More information about the Bro mailing list