I’m very new to Bro scripting so I thank you ahead of time for your patience. I’m trying to write a simple script that just prints the bytes for the Rx and Tx of a TCP session. Below is what I have, but it isn’t giving me anything.
redef use_conn_size_analyzer = T;
event connection_finished(c:connection)
{
print c$orig$num_bytes_ip;
print c$resp$num_bytes_ip;
}
I’m probably missing something obvious but it is escaping me. thanks
Thank you,
Brian
You probably want to use the connection_state_remove event instead as it indicates when a connection is expunged from memory. connection_finished has some extra context to it that you may not care about.
Also, the num_bytes_ip field is a per-packet field and includes the size of the IP header on down (tcp/udp + payload typically). If you are looking for content bytes you will want c$orig$size which will show you the size of the reassembled TCP contents in the case of TCP.
.Seth