TCP Conn Log

mike_anastasakis · April 3, 2017, 12:49pm

Hello,

I am using Bro for a project and I have a question regarding it’s capabilities.
Currently when I have a long TCP connection that includes frequent TCP Keep Alive messages, bro is reassembling the whole network trace into one connection and presents it in conn.log with a big duration value. Is it possible to make bro split up TCP connections into smaller fragments based on a interval I set up or at least whenever a TCP Keep alive handshake takes place?

Regards,
Mike

johanna · April 5, 2017, 4:28pm

Hi Mike,

I am currently not aware of any way to accomplish this without
modifications to the core. You can change the timeout that Bro uses for
TCP connections (the time after which its expires a connection, if it does
not see any packets) by changing tcp_inactivity_timeout; depending on your
specific application, maybe that might be good enough.

Johanna

Azoff_Justin_S · April 5, 2017, 4:40pm

Oh! there is this script that may help:

https://github.com/corelight/bro-long-connections

Topic		Replies	Views
Quick question on conn tracking Zeek	8	92	May 6, 2022
Notice on duration Zeek	3	77	May 6, 2022
Fragmentation and TCP overlapping Issues Zeek	9	148	May 6, 2022
long SSH connection in conn.log Zeek	3	122	May 6, 2022
Connection lasts huge time Zeek	2	71	May 6, 2022

TCP Conn Log

Related topics