[Bro] count connection bytes
Seth Hall
seth at icir.org
Thu Jan 2 09:21:10 PST 2014
On Dec 23, 2013, at 4:26 PM, "Kellogg, Brian D (OLN)" <bkellogg at dresser-rand.com> wrote:
> event connection_finished(c:connection)
> {
> print c$orig$num_bytes_ip;
> print c$resp$num_bytes_ip;
> }
>
> I'm probably missing something obvious but it is escaping me. thanks
You probably want to use the connection_state_remove event instead as it indicates when a connection is expunged from memory. connection_finished has some extra context to it that you may not care about.
Also, the num_bytes_ip field is a per-packet field and includes the size of the IP header on down (tcp/udp + payload typically). If you are looking for content bytes you will want c$orig$size which will show you the size of the reassembled TCP contents in the case of TCP.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140102/297a1ab3/attachment.bin
More information about the Bro
mailing list