[Bro] using Bro as traffic analyzer.

[Matthias Vallentin]

> I want to match tcp handshake pairs and record the intervals between
> each SYN and SYN-ACK pairs with their arrival time. At the same time,
> roughly packet loss rate (vs different timescales) should be calculated
> by tcp retransmission rate. It is a statistical analysis on network
> traffic that would be processed by .bro files i think. some of them
> are similar with functions already existed. Would you please give me
> some notes on which files i should start with?

Yes, you're right. This sort of analysis can be entirely done at the
scripting layer, i.e., it only involves *.bro scripts.

Bro reassembles the full TCP byte stream. When you deal with connection
data, duplicates/retransmission are already removed. If you want to
compute round-trip times at the packet level, you can write a handler
for the events new_connection (which is generated for every new
SYN packet) and connection_established (which is generated for a
successful TCP handshake after a SYN-ACK).

For retransmissions, have a look at the events: rexmit_inconsistency,
content_gap, and gap_report. Unfortunately I cannot provide more
detailed information other than pointing you to our ongoing
documentation effort in the git repository:

    git clone git://git.bro-ids.org/bro.git
    git checkout topic/script-reference
    less src/event.bif

Maybe others can chime in and give you further guidance.

(Also, to measure system/NIC capture loss, there is
policy/misc/capture-loss.bro.)

> btw: I read the document and find that all C/C++ code is designed
> for decoding packets. bro files take charge in statistal or general
> processing. Is it right? Any general pictures were provided in bro?

That's correct. Packet "decoding" is done at the Bro core. Bro
reassembles the TCP byte stream and presents it as a connection to the
user. You may find our workshop materials helpful to better understand
the architecture of Bro: http://www.bro-ids.org/bro-workshop-2011

    Matthias