Definition of a connection in conn.log

Zeek
1

Hi,

I’m trying to understand how connections are formed by Bro before reporting them to conn.log - in particular, the following questions:

  1. Is it safe to assume that any given packet will be assigned to at most one connection, and thus to at most one row in conn.log?

  2. Why is it that some rows in conn.log do not have the duration field set? I see see several row with a ‘-’ in the duration field.

  3. The bro documentation states that “For UDP and ICMP, “connections” are to be interpreted using flow semantics (sequence of packets from a source host/port to a destination host/port).” However, what is the exact definition for a TCP flow? How does Bro decide which packets to include in a connection?

  4. For an ongoing ‘connection’, does Bro wait until the connection is over before logging it? What if the connection is quite long in duration…won’t that cause a lag? Or does Bro automatically chop up long flows based on some configurable limit parameter?

Basically, I’m trying to understand how Bro defines a ‘connection’, for the purposes of interpreting conn.log. I’ve looked at the online documentation but didn’t find what I was trying to understand.

Thanks to anyone who can shed some light on this, or point me in the right direction!

2

Hello,

let me try to give a few quick answers to your question.

1. Is it safe to assume that any given packet will be assigned to at most
one connection, and thus to at most one row in conn.log?

No - there is a special case for tunnels, where a connection can be the
parent of another connection (the child shows its parent in the
tunnel_parents field of conn.log). In that case, the packet is assigned to
both the child and the parent.

2. Why is it that some rows in conn.log do not have the duration field set?
I see see several row with a '-' in the duration field.

That should mean that the duration was "0" (e.g. single packet), if I am
not mistaken.

3. The bro documentation states that "For UDP and ICMP, “connections” are
to be interpreted using flow semantics (sequence of packets from a source
host/port to a destination host/port)." However, what is the exact
definition for a TCP flow? How does Bro decide which packets to include in
a connection?

That s a not quite straightforward to answer question. Generally Bro
counts connections a 5-tuples; however, there are several timeouts at work
(after no packets were arrived for a certain amount of time, a connection
is seen as finished; if theree are new packets, a new connection will
begin). For TCP, a connection also can be ended by fin and rst packets,
and a new connection will begin afterwards.

The timeouts are set using configuration variables - e.g. the default
tcp_inactivity_timeout, after which a TCP connection is considered closed
when no more packets are seen is 5 minutes. For UDP, it is 1 minute. For
ICMP it also is one minute.

4. For an ongoing 'connection', does Bro wait until the connection is over
before logging it? What if the connection is quite long in duration...won't
that cause a lag? Or does Bro automatically chop up long flows based on
some configurable limit parameter?

Yup. And you are right, it will cause a lag in logging.

I hope this helps,
Johanna

3

Thanks Johanna! This helps a lot.