Dear all,
I have looked at some files while still waiting for some hints for my previous question.
Then I found the event "new_packet" , which looks promising.
However, I DON"T know if the packet reported there is already "processed", i.e only valid packets for the connection are considered while others such as: duplicate or out of order packets are not reported to the handler?
Does anybody know how this event works ? I REALLY need some answers to go on.
Thanks,
Duc.
At present, the characteristics I need are: mean packet size and mean
packet inter-arrival time, all per flow.
In general, such statistics are a little bit difficult to get with
Bro because its analysis works primarily with higher abstractions of
activity, i.e., you write scripts without relying on packet
semantics.
To still get stats such us inter-arrival times there are two
options:
(i) you can indeed use the new_packet() event which you already
found yourself. Disadvantage: this is not very efficient because
script code needs to be executed for each input packet.
(ii) you add a module to Bro's core which does the required analysis
and just reports results back to script-level. Bro's stepping stone
analyzer is an example of how to do this (it does examine packet
timings). Disadvantage: you need to hack Bro's source code.