[Bro] Traffic Volume Calculation Using Bro's Connection, Log

scottie jwillie4020 at gmail.com
Thu Nov 21 20:37:03 PST 2013


Try this:
cat conn.log  | awk 'BEGIN{other=0;tcp=0;udp=0;icmp=0} {if($7 == "tcp")
tcp=tcp+1} {if($7 == "udp") udp=udp+1} {if($7 == "icmp") icmp=icmp+1}
{if($7 != "tcp" && $7 != "udp" && $7 != "icmp" ) other=other+1} END{
print "TCP:  " tcp, "\nUDP:  " udp, "\nICMP: " icmp, "\nOther: " other}'
| column -t

It will give you an overview of tcp/udp/icmp and 'other' connections.
What does it output for you? 99.9% of my traffic is one of these first 3.



More information about the Bro mailing list