[Bro] using Bro as traffic analyzer.

Readon Shaw xydarcher at 163.com
Fri Dec 9 02:36:21 PST 2011


>> I want to match tcp handshake pairs and record the intervals between
>> each SYN and SYN-ACK pairs with their arrival time. At the same time,
>> roughly packet loss rate (vs different timescales) should be calculated
>> by tcp retransmission rate. It is a statistical analysis on network
>> traffic that would be processed by .bro files i think. some of them
>> are similar with functions already existed. Would you please give me
>> some notes on which files i should start with?
>
>Yes, you're right. This sort of analysis can be entirely done at the
>scripting layer, i.e., it only involves *.bro scripts.
>
>Bro reassembles the full TCP byte stream. When you deal with connection
>data, duplicates/retransmission are already removed. If you want to
>compute round-trip times at the packet level, you can write a handler
>for the events new_connection (which is generated for every new
>SYN packet) and connection_established (which is generated for a
>successful TCP handshake after a SYN-ACK).

I have wrtie a script called local.bro which was applied to connect event connection_established & connection_first_ACK
but it seems that the event have not triggered. I tested the script with network trace "http.pcap" provided in Bro website.


the script is followed as attachment.

>
>For retransmissions, have a look at the events: rexmit_inconsistency,
>content_gap, and gap_report. Unfortunately I cannot provide more
>detailed information other than pointing you to our ongoing
>documentation effort in the git repository:
>
>    git clone git://git.bro-ids.org/bro.git
>    git checkout topic/script-reference
>    less src/event.bif
>
>Maybe others can chime in and give you further guidance.
>
>(Also, to measure system/NIC capture loss, there is
>policy/misc/capture-loss.bro.)
>
>> btw: I read the document and find that all C/C++ code is designed
>> for decoding packets. bro files take charge in statistal or general
>> processing. Is it right? Any general pictures were provided in bro?
>
>That's correct. Packet "decoding" is done at the Bro core. Bro
>reassembles the TCP byte stream and presents it as a connection to the
>user. You may find our workshop materials helpful to better understand
>the architecture of Bro: http://www.bro-ids.org/bro-workshop-2011
>
>    Matthias

--------------
Readon Shaw

-------------- next part --------------
A non-text attachment was scrubbed...
Name: local.bro
Type: application/octet-stream
Size: 666 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111209/e6f34199/attachment.obj 


More information about the Bro mailing list