I installed zeek-long-connections on Centos. The result is as following:
Field “orig_bytes” is cumulative. But I hope the separate data.
The original result looks like: In the first time period [0,t], value of orig_bytes is a1,in the second time period [0,2
t], value of orig_bytes is a2.
The result I hope is like: In the first time period [0,t], value of orig_bytes is a1,in the second time period [0,2t], value of orig_bytes is a2-a1.
Is there any suggestions for this effect? Thank you.
Is there any suggestions for this effect? Thank you.
The following uses the log policy hooks to do what you want, though there’s some interplay with the normal conn.log due to the re-use of the Conn::Info record - I believe it works out though.
redef record Conn::Info += {
prev_orig_bytes: count &default=0;
};
hook LongConnection::log_policy(rec: Conn::Info, id: Log::ID, filter: Log::Filter)
{
local tmp = rec$orig_bytes;
rec$orig_bytes = rec$orig_bytes - rec$prev_orig_bytes;
rec$prev_orig_bytes = tmp;
}
Would maybe be better to add a new &log field for the relative value only, but due to the Conn::Info reuse that would then also show-up in the normal conn.log.
Maybe that helps a bit.
Very useful, thank you very much.
