[Bro] http response encoded length ?
Seth Hall
seth at icir.org
Sat May 19 21:48:45 PDT 2012
On May 16, 2012, at 4:56 PM, Dalton Porter wrote:
> One of the requirements for my project is to measure the bytes sent and received on the wire. I'm thinking there must be a counter - maybe in conn that could be used for this.resp_ip_bytes looks promising, but I have not figured out how to use it yet.
Ah! Ok, that's available but you have to be aware of what you are measuring. In your conn.log there are several fields that represent the data you're looking for.
orig_bytes, resp_bytes
These are payload bytes for data sent by the originator and responder.
orig_ip_bytes, resp_ip_bytes
These are byte counts including the IP header. If you are looking for the total amount of data being sent across your border to the "internet", then this is likely the measurement you want.
These fields available several ways, one easy way that is a nice analog to log processing is to access it through the logging framework event as the data is being logged.
event Conn::log_conn(rec: Conn::Info)
{
print rec$orig_ip_bytes + rec$resp_ip_bytes;
}
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list