[Bro] getting big resp_bytes in very short duration
김희철
hckim at narusec.com
Mon Mar 24 18:12:07 PDT 2014
Hi
I am running Bro 2.1 cluster with pf_ring
I am getting strange reading in a conn.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto
service duration orig_bytes resp_bytes conn_state local_orig
missed_bytes history orig_pkts orig_ip_bytes resp_pkts
resp_ip_bytes tunnel_parents
1386409938.786306 CKlLre3mzijeYEIf8c 192.168.1.134 63093
117.52.156.65 80 tcp http 0.008831 612 1789158751 SF T 0
ShADadfF 8 956 6 433 (empty)
1386592764.721467 C9RQ8U1M31oXWexK59 192.168.1.134 51800
117.52.156.63 80 tcp http 0.009957 612 1482640315 SF T 0
ShADadfF 8 956 6 433 (empty)
resp_bytes are very big but duration is very short.
I can see that resp_pkets and resp_ip_bytes are very small, is this the
reason duration is very short?
is this a bug, if not what is this mean?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140325/abf2094b/attachment.html
More information about the Bro
mailing list