Flow Statistics in BRO

Hi,

I have a trace file (from using TCPdump) and I would like to know how to get the flow statistics of this file using BRO (i.e. what would be the command line argument).
Thanks.

DAN

"bro -r trace tcp" should do it if you're only concerned about TCP.
For UDP and ICMP add "udp" and "icmp" to the command line,
respectively.

Robin

Hi,

when I run that command I get the following output (a sample):

1185209476.627097 weird: spontaneous_RST
1185209476.630111 weird: spontaneous_RST
1185209476.947233 weird: above_hole_data_without_any_acks
1185209478.283928 weird: spontaneous_FIN
1185209478.798191 weird: above_hole_data_without_any_acks
1185209479.339797 weird: spontaneous_RST
1185209479.943993 weird: spontaneous_RST
1185209480.904227 weird: spontaneous_FIN
1185209481.648424 weird: above_hole_data_without_any_acks

When I was talking about flow statistics, I was looking more for statistics such as total number of packets, average packet size, total bytes, total header (transport plus network layer) bytes, number of caller to callee packets, total caller
to callee bytes, total caller to callee payload bytes, total caller to callee header bytes, number of callee to
caller packets, total callee to caller payload bytes, and total callee to caller header bytes.

Also as an aside, do you know why there are these weird addresses in the scan.bro file because whenever I run bro -r tracefile tcp it always starts with the following lines:

/usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5004.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5005.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host: j5006.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host: j100.inktomi.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host: j101.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host: j3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3000.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3001.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3003.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host: si4000.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4001.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4002.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host: wm3018.inktomi.com
line 1: warning: event handlers never invoked:
line 1: warning: account_tried

Thanks.

Daniel.

Danny Nechay wrote:

When I was talking about flow statistics, I was looking more for
statistics such as total number of packets, average packet size, total
bytes, total header (transport plus network layer) bytes, number of
caller to callee packets, total caller
to callee bytes, total caller to callee payload bytes, total caller to
callee header bytes, number of callee to
caller packets, total callee to caller payload bytes, and total callee
to caller header bytes.

You can use the one-line connection summaries from bro:
   bro -r trace conn

This won't give you all the information you're interested in, but it's a
starting point.

hth
gregor

- --
Gregor Maier gregor@net.t-labs.tu-berlin.de
TU Berlin / Deutsche Telekom Labs gregor.maier@tu-berlin.de
Sekr. TEL 4, FG INET www.net.t-labs.tu-berlin.de
Ernst-Reuter-Platz 7
10587 Berlin, Germany

(Got this mail in private first; here's a copy of my reply to the
list.)

1185209481.648424 weird: above_hole_data_without_any_acks

You can actually just ignore these messages, or load weird.bro which
sends them to weird.log.

When I was talking about flow statistics, I was looking more for statistics
such as total number of packets, average packet size, total bytes, total
header

Have you looked into conn.log? Bro doesn't count packets per flow
but the rest of the information you're looking for should be in
there. (If I understand you correctly that you want *per-flow*
statistics and not an overall summary of, e.g., bytes in the trace).

Also as an aside, do you know why there are these weird addresses in the
scan.bro file because whenever I run bro -r tracefile tcp it always starts
with the following lines:

They are an relict from the past when these hosts still existed, to
suppress reporting them as scanners. You can simply remove them from
the scan.bro to get rid the warning. Iirc this has alreaby been done
in the current development version.

Robin

Also as an aside, do you know why there are these weird addresses in the
scan.bro file because whenever I run bro -r tracefile tcp it always starts
with the following lines:

/usr/local/bro/policy/scan.bro, line 92: warning: no such host:
j5004.inktomisearch.com

These are historical (they used to actually make good examples!, but
those hosts have now gone away). They were recently removed, however -
are you using the CURRENT release?

    Vern