Hi! Dear team,
I do some experiments and have some problems.
case1: ‘orig_bytes’: 0, ‘resp_bytes’: 4294967295,‘missed_bytes’: 5380689127. i.e.,orig_bytes+resp_bytes <missed_bytes
case2:‘orig_bytes’: 6055, ‘resp_bytes’: 9863, ‘missed_bytes’: 10897. i.e.,orig_bytes+resp_bytes>missed_bytes,and orig_bytes<missed_bytes,resp_bytes<missed_bytes
case3: ‘orig_bytes’: 0, ‘resp_bytes’: 0,‘missed_bytes’: 1787782494
case4:‘orig_bytes’: 0, ‘resp_bytes’: 18419023091,‘missed_bytes’: 18419023091,i.e.,resp_bytes=missed_bytes
case5:‘orig_bytes’: 1957083349, ‘resp_bytes’: 0, ‘missed_bytes’: 1957083349, i.e.,orig_bytes=missed_bytes
…some other caces.
I want to know if i can get the exact orig_bytes and resp_bytes. If can not, How to correctly understand missed_bytes, orig_bytes, resp_bytes. I know orig_bytes and resp_bytes are got from tcp seq. I’m dying to know the real outbound byte count and inbound byte count. Because that is a critical indicator to estimate data breach volume.
I would greatly appreciate a prompt response from you. Your timely assistance would be highly valued.
Thanks!
Nick
I think you’re seeing evidence of capture loss in some of those cases that are confusing Zeek. For example, a missed bytes value of 5380689127 is over 5GB. Note that missed_bytes simply accounts for content gaps in either direction, see here.
For an alternative view at byte counts you could explore the orig_ip_bytes and resp_ip_bytes fields.
Best,
Christian
Thanks a lot. I have new question. The explanation of the conn_state value ‘s1’ in the Zeek documentation is “Connection established, not terminated.” It also mentions that it has a “0 byte count.” However, in the logs I captured that contain the ‘s1’ flag, the byte count is not zero. Why does the SF explanation in the sf state mention that the byte count for ‘s1’ must be zero? Is this explanation incorrect?
That confuses me. I want to exactly understand S1.