trace-summary question

From trace-summary:

        if duration and payload_resp * 8 / (1024 * 1024 * duration) > 700:

            # Bandwith exceed due to Bro bug.

            if Options.conn_version == 1:

                print >>sys.stderr, "%.6f originator exceeds bandwith" % time

            else:

                print >>sys.stderr, "UID %s originator exceeds bandwith" % f[uid_idx]

            payload_resp = 0

Just curious: is there a good reason for '700'?

--Gilbert

It's "good enough". :slight_smile:

The problem here is that Bro sometimes reports outrageously high
volume: it computes the volume from TCP sequence numbers and gets
utterly confused if they wrap around. So anything that looks like an
unrealistic bandwidth will do.

(Unfortunately, wrap around is more likely to occur for larger
connections, and by excluding those we may miss actually a signficiant
chunk for the summary. But there's not much to do about that with a
given summary; garbage in, garbage out. :slight_smile:

Robin

(Unfortunately, wrap around is more likely to occur for larger
connections, and by excluding those we may miss actually a signficiant
chunk for the summary. But there's not much to do about that with a
given summary; garbage in, garbage out. :slight_smile:

(Well, there used to be something to do - use large-conns.bro, until it
was unceremoniously dumped)

(Well, there used to be something to do - use large-conns.bro

That's what the part 'with a given summary' was aiming at: if you feed
trace-summary a conn.log that already has that problme, there's
nothing it can do about it. That's not saying there aren't ways to get
the conn.log right in the first place. :slight_smile:

, until it was unceremoniously dumped)

Was it dumped, or is it just not moved over yet? I don't recall.

Robin

That's what the part 'with a given summary' was aiming at: if you feed
trace-summary a conn.log that already has that problme, there's
nothing it can do about it. That's not saying there aren't ways to get
the conn.log right in the first place. :slight_smile:

My plan was to enable Gregor's ConnSize analyzer by default. Does it make sense to use the values acquired from that in place of the existing values?

, until it was unceremoniously dumped)

Was it dumped, or is it just not moved over yet? I don't recall.

Not moved over yet. I didn't dump anything, it's all just waiting to regain it's status in the sun. :slight_smile:

  .Seth

We should offer both, they have different sematnics. However we could
include only the ConnSize one in base (as that's probably what people
intuively expect) and offer the current one as an option to add
additionally?

Robin

I think that sounds optimal. We even have the perfect place to put the script that adds that information now (after the latest reorg). :slight_smile:

  .Seth