When zeek captures a complete packet, a log record will be formed. But how can we count traffic data once in a fixed period of time? For example, when users upload or download files, it takes half an hour. I want to count the unfinished sessions every ten minutes, even though the session has not ended yet. Do you have any relevant solutions or ideas? Thank you.
Hello @cindystudyeveryday - there’s the “long-connections” package which sounds like it’d fulfill what you’re looking for:
Thank you. I’ve tried this, and now I have some problems.
1.Long sessions are captured every fixed time. Among the multiple records formed, the start time “ts” for the record with the same ID is consistent, and the time interval “duration” is increasing. I want to ask whether the number of packets or bytes is accumulated from the beginning or added between two records?
2.I seem to see some duplicate records. What’s the reason?
Hi! The zeek-long-connections package has a built-in series of durations after which the package will log a connection. After each of those durations, the created log entry shows the state of a connection at that time. So the logged packet/byte counts are accumulating throughout, and you see duplicate records when there has been no further activity on a connection.
Hope that helps,
Christian
