[Bro] Traffic Volume Calculation Using Bro's Connection Log
Naveed Anwar
hunarame at gmail.com
Thu Nov 7 10:58:02 PST 2013
Hi,
I'm facing a small problem when running Bro. I'm trying to calculate the
volume of traffic generated per host. I have a set of pcap files, each
containing traffic from a single host. I thought I could run Bro on each
pcap file, and then sum the orig_bytes and resp_bytes columns in conn.log
to get the total volume of traffic for one host. However when I run Bro on
a 250 MB pcap file, the sum of these two columns is only 107 MB
approximately, and not 250 MB as I expected. Is there any alternate method
for calculating the volume of traffic generated by one host?
Here's the script I ran to get the sum:
cat conn.log | awk 'BEGIN{FS="\t"; count=0;} {count=count+$10; count+=$11}
END {print count;}'
This was the output of the script (which I expected would be 250 MB
instead):
107790112 bytes
It would be great if you could help me resolve this issue!
Thank you,
--
Regards,
Naveed Anwar Bhatti
Research Associate
FAST-NU Islamabad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131107/87f32258/attachment.html
More information about the Bro
mailing list