I'm trying to write a simple bro policy script that uses the default
TCP policy output format, with the addition of packet counts per flow
in each direction. For that I'm actually modifying the analy.bro
script, however I've noticed that with my sample trace, the originator
packet count is almost always zero. How can I get the endpoint_status
to accurately reflect the number of packets sent in both directions
for the flow? Also am I safe to assume that the number of bytes sent
in each direction are correct in the endpoint structure?
I tried to trace this problem down a bit and determined that when
Analyzer::DeliverPacket calls the class's DeliverPacket method, only a
fraction of the time does it go to TCPStats_Analyzer::DeliverPacket
method whereas the remainder of the time the
TCP_Analyzer::DeliverPacket method is called. Thus this leads me to
believe that many of the packets don't have the correct Analyzer class
(TCPStats_Analyzer) associated with it, however I am not sure how to
fix this problem. Any help would be greatly appreciated.
however I've noticed that with my sample trace, the originator
packet count is almost always zero
Can you send along the script you're using and a trace snippet that
demonstrates the problem? (Also, what version of Bro are you running?)
I tried on a short trace just now and I get packet counts in both directions.
Could you be using a capture filter that doesn't capture data packets from
the originator?
The current version of the analy Analyzer isn't working for this.
Only packets containing TCP payload are passed to the stats analyzer.
I have a branch that, among other things, also correctly tracks packets
and bytes on the wire (Bro's conn.log sizes are based on sequence
numbers). I can sent you a pointer to the branch if you want to. Note,
however, that my branch tracks a bunch of other things per connection
(including window size, handshake TTL, TCP options, etc., so it need
more state per connection.
OTOH, I was planning on integrating just the size counter into Bro
anyway. If you are interested in that, I can move that topic up on my
priority list....