getting big resp_bytes in very short duration

user13 · March 25, 2014, 1:12am

Hi
I am running Bro 2.1 cluster with pf_ring
I am getting strange reading in a conn.log

#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
1386409938.786306 CKlLre3mzijeYEIf8c 192.168.1.134 63093 117.52.156.65 80 tcp http 0.008831 612 1789158751 SF T 0 ShADadfF 8 956 6 433 (empty)
1386592764.721467 C9RQ8U1M31oXWexK59 192.168.1.134 51800 117.52.156.63 80 tcp http 0.009957 612 1482640315 SF T 0 ShADadfF 8 956 6 433 (empty)

resp_bytes are very big but duration is very short.
I can see that resp_pkets and resp_ip_bytes are very small, is this the reason duration is very short?

is this a bug, if not what is this mean?

Siwek_Jon · March 25, 2014, 2:47pm

{orig,resp}_bytes are derived from TCP sequence numbers rather than from the sizes of actual packet payloads that Bro processes so it’s somewhat more likely to be misreported in corner cases. However, there’s been at least three changes/fixes since Bro 2.1 that improve how this field is reported, so you may want to try the latest development version of Bro from git to determine whether this is a bug that’s been fixed.

- Jon

Topic		Replies	Views
High orig_bytes value Zeek	5	95	May 6, 2022
resp_bytes bug Zeek	1	81	May 6, 2022
Inaccuracy of orig_bytes and resp_bytes? Zeek	2	1020	November 23, 2022
unreported packet loss Zeek	3	76	May 6, 2022
A strange connection Zeek	4	68	May 6, 2022

getting big resp_bytes in very short duration

Related Topics