Bro Digest, Vol 110, Issue 35

Hey Michael,

I tried to stick to what you had and assumed this rest. I got it to work and here is what I had.

type Bandwidth: record {
pair: string &log;
bytesIn: count &log;
bytesOut: count &log;
};

global bandwidth: set[Bandwidth];

event connection_state_remove(c: connection){

local mypair=
fmt("%s,%s",c$id$orig_h,c$id$resp_h);

local bin= c$orig$size;

local bout= c$resp$size;

local thispair: Bandwidth;

thispair$pair = mypair;
thispair$bytesIn = bin;
thispair$bytesOut = bout;

if (thispair in bandwidth)
print fmt(“My pair %s”,thispair);
else{
print fmt(“My pair 2 %s”,thispair);
add bandwidth[thispair];
}

}

Here are results:

My pair 2 [pair=2601:347:c200:xxx:xxx:xxx:xxx:xxx,2607:f8b0:xxx:xxx::xxx, bytesIn=2737, bytesOut=1350]
My pair [pair=192.168.x.x,224.0.0.252, bytesIn=54, bytesOut=0]

I don’t think any bytes will return NULL, but you may want to consider doing " &log &optional ".
Also… this was ran on bro-2.4.

Hope this helps!

RedLight