Hi,
I’m facing a small problem when running Bro. I’m trying to calculate the volume of traffic generated per host. I have a set of pcap files, each containing traffic from a single host. I thought I could run Bro on each pcap file, and then sum the orig_bytes and resp_bytes columns in conn.log to get the total volume of traffic for one host. However when I run Bro on a 250 MB pcap file, the sum of these two columns is only 107 MB approximately, and not 250 MB as I expected. Is there any alternate method for calculating the volume of traffic generated by one host?
Here’s the script I ran to get the sum:
cat conn.log | awk ‘BEGIN{FS="\t"; count=0;} {count=count+$10; count+=$11} END {print count;}’
This was the output of the script (which I expected would be 250 MB instead):
107790112 bytes
It would be great if you could help me resolve this issue!
Thank you,