[Bro] using Bro as traffic analyzer.

Readon Shaw xydarcher at 163.com
Sun Dec 4 18:47:48 PST 2011 

>> i find Bro is so widely used, which seems can fulfill the requirement.
>
>Good to hear it works for you and welcome aboard!
It is a greate platform, thank you for your works.
>
>> Can i disable other functions embedded in Bro, and add a plugin myself?
>
>With the upcoming release of 2.0, Bro enables policy-neutral protocol
>analysis by default, meaning it gives you a neutral picture of what's
>going on in your network. For additional analyses and detectors, you
>need to load the corresponding scripts in the policy directory;
>local.bro is a good starting point. That said, you only pay for basic
>protocol decoding by default.
>
>> What is the point to archieve this, modify the core .cpp source file or add
>> a .bro file?
>
>This depends on the functionality you would like to add. Would you
>mind elaborating a bit so that we can give you more helpful advice?
>Changing the format of the log output or modifying analyzer behavior
>generally works at the scripting layer. Bro features a Turing-complete
>scripting language. You can write your own new functions and events.
>If you would like to haul C/C++ functionality up to the scripting
>layer, you might want to consider writing your own built-in function
>(BiF). See src/bro.bif for examples. If you would like to add a new
>protocol analyzer, then BinPAC is the right tool for you.
>
I want to match tcp handshake pairs and record the intervals between 
each SYN and SYN-ACK pairs with their arrival time. At the same time, 
roughly packet loss rate (vs different timescales) should be calculated 
by tcp retransmission rate. It is a statistical analysis on network traffic 
that would be processed by .bro files i think. some of them are similar 
with functions already existed. Would you please give me some notes 
on which files i should start with?

btw: I read the document and find that all C/C++ code is designed 
for decoding packets. bro files take charge in statistal or general processing.
Is it right? Any general pictures were provided in bro?
>    Matthias

--------------
Readon Shaw

More information about the Bro mailing list