the analyzer to count bytes and packets as seen on the wire per
connection (endpoint) is now in devel. If enabled the counters are part
of the connection record (actually the endpoint records) and can thus be
access by any event that gets a connection as argument.
To enable:
redef use_conn_size_analyzer = T;
To enable logging the sizes to conn.log:
# Whether to add 4 more columns to conn.log with
# orig_packet orig_ip_bytes resp_packets resp_ip_bytes
# Requires use_conn_size_analyzer=T
# Columns are added after history but before addl
redef report_conn_size_analyzer = T;
You might want to consider enables those if you run devel....
Thanks for doing the work on this, I've been wanting this functionality built into Bro for a long time. Is there any plan for getting this integrated into master? I see that there isn't a merge request yet, are you waiting for more testing?
It just came up for me because I'm rewriting the conn.bro script and I want to include that data if the analyzer is enabled as a replacement for the normal c$orig$size and c$resp$size.
the analyzer to count bytes and packets as seen on the wire per
connection (endpoint) is now in devel. If enabled the counters are part
of the connection record (actually the endpoint records) and can thus be
access by any event that gets a connection as argument.
Thanks for doing the work on this, I've been wanting this functionality built into Bro for a long time. Is there any plan for getting this integrated into master? I see that there isn't a merge request yet, are you waiting for more testing?
see Robin's mail
It just came up for me because I'm rewriting the conn.bro script and I want to include that data if the analyzer is enabled as a replacement for the normal c$orig$size and c$resp$size.
I've actually added the counters as additional columns in conn.bro
(there's one flag to enable the analyzer and another one to enable
logging in conn.log)
You might also want to consider that osize and rsize try to count the
logical number of payload bytes whereas my analyzer counts the number of
IP bytes so I don't know whether replacing the osize and rsize makes
sense (since it breaks behavior and given a conn.log file, it's hard to
know which format it's in).
OTOH, I think that people new to bro often get confused as to what osize
and rsize are (e.g., that can be heavily inflated and need sanity
checking).
(I don't have a preference to do it one way or the other, btw)
It just came up for me because I'm rewriting the conn.bro script and I want to include that data if the analyzer is enabled as a replacement for the normal c$orig$size and c$resp$size.
I've actually added the counters as additional columns in conn.bro
(there's one flag to enable the analyzer and another one to enable
logging in conn.log)
I'm reworking a lot of the analyzer companion scripts now (including conn.bro) and changing them to use the logging framework. I may make it an option in the new conn.bro script too. It should be pretty straightforward, especially since we've been working on giving the logging framework the specific capability for doing record extension to do this sort of thing.
You might also want to consider that osize and rsize try to count the
logical number of payload bytes whereas my analyzer counts the number of
IP bytes
Oh, good point. That's definitely something to think about.
OTOH, I think that people new to bro often get confused as to what osize
and rsize are (e.g., that can be heavily inflated and need sanity
checking).
I was confused by that for a while. It was weird for a while since I came from netflow analysis where you can pretty reliably trust the byte counts once you put all of the related flows back together.
Yeah, it's actually an important distinction. I think I'd like the
default to remain as it it: count TCP payload, and have an option to
optionally add (but not replace with) the raw bytes. One selling point
here is that the TCP values are actually something that NetFloow can
not offer.
[or]size is in the endpoint record. I think you may be thinking of the large-conns.bro script that calculates an upper and lower bound for the connection size.
[or]size is in the endpoint record. I think you may be thinking of the
large-conns.bro script that calculates an upper and lower bound for the
connection size.
Yep, exactly. I grepped around for osize/rsize and didn't find it. In
fact, I'm still not finding it. So is this an informal term, or am I not
looking in the right place?
type endpoint: record {
size: count;
state: count;
};
type connection: record {
id: conn_id;
orig: endpoint;
resp: endpoint;
start_time: time;
duration: interval;
service: string_set; # if empty, service hasn't been determined
addl: string;
hot: count; # how hot; 0 = don't know or not hot
history: string;
};