@load base/frameworks/metrics module Loc; export { redef enum Log::ID += { LOG }; type Info: record { id: conn_id &log; resp_syn: time &log &optional; orig_ack: time &log &optional; interv: interval &log &optional; }; global log_loc: event(rec: Info); } redef record connection += { loc: Info &optional; }; event bro_init() &priority=5 { Log::create_stream(LOG, [$columns=Info]); } event connection_established(c: connection) { if ( ! c?$loc ) c$loc = [$id=c$id]; c$loc$resp_syn=network_time(); } event connection_first_ACK(c: connection) { if ( ! c?$loc ) c$loc = [$id=c$id]; c$loc$orig_ack=network_time(); } event connection_state_remove(c: connection) { if ( c?$loc ) { if ( c$loc?$orig_ack && c$loc?$resp_syn ) c$loc$interv = c$loc$orig_ack - c$loc$resp_syn; Log::write(LOG, c$loc); } }