mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Add ConnSize_Analyzer's fields to conn.log
This commit is contained in:
Gregor Maier
parent
88f7db927e
commit
fe5624fb06
1 changed files with 24 additions and 2 deletions
|
|
@ -12,7 +12,11 @@ export {
|
||||||
proto: transport_proto &log;
|
proto: transport_proto &log;
|
||||||
service: string &log &optional;
|
service: string &log &optional;
|
||||||
duration: interval &log &optional;
|
duration: interval &log &optional;
|
||||||
|
## The number of payload bytes the originator sent. For TCP
|
||||||
|
## this is taken from sequence numbers and might be inaccurate
|
||||||
|
## (e.g., due to large connections)
|
||||||
orig_bytes: count &log &optional;
|
orig_bytes: count &log &optional;
|
||||||
|
## The number of payload bytes the responder sent. See ``orig_bytes``.
|
||||||
resp_bytes: count &log &optional;
|
resp_bytes: count &log &optional;
|
||||||
|
|
||||||
## ========== ===============================================
|
## ========== ===============================================
|
||||||
|
|
@ -68,6 +72,17 @@ export {
|
||||||
## for instance. I.e., we just record that data went in that direction.
|
## for instance. I.e., we just record that data went in that direction.
|
||||||
## This history is not meant to encode how much data that happened to be.
|
## This history is not meant to encode how much data that happened to be.
|
||||||
history: string &log &optional;
|
history: string &log &optional;
|
||||||
|
## Number of packets the originator sent.
|
||||||
|
## Only set if :bro:id:`use_conn_size_analyzer`=T
|
||||||
|
orig_pkts: count &log &optional;
|
||||||
|
## Number IP level bytes the originator sent (as seen on the wire,
|
||||||
|
## taken from IP total_length header field).
|
||||||
|
## Only set if :bro:id:`use_conn_size_analyzer`=T
|
||||||
|
orig_ip_bytes: count &log &optional;
|
||||||
|
## Number of packets the responder sent. See ``orig_pkts``.
|
||||||
|
resp_pkts: count &log &optional;
|
||||||
|
## Number IP level bytes the responder sent. See ``orig_pkts``.
|
||||||
|
resp_ip_bytes: count &log &optional;
|
||||||
};
|
};
|
||||||
|
|
||||||
global log_conn: event(rec: Info);
|
global log_conn: event(rec: Info);
|
||||||
|
|
@ -163,11 +178,18 @@ function set_conn(c: connection, eoc: bool)
|
||||||
if ( c$duration > 0secs )
|
if ( c$duration > 0secs )
|
||||||
{
|
{
|
||||||
c$conn$duration=c$duration;
|
c$conn$duration=c$duration;
|
||||||
# TODO: these should optionally use Gregor's new
|
|
||||||
# actual byte counting code if it's enabled.
|
|
||||||
c$conn$orig_bytes=c$orig$size;
|
c$conn$orig_bytes=c$orig$size;
|
||||||
c$conn$resp_bytes=c$resp$size;
|
c$conn$resp_bytes=c$resp$size;
|
||||||
}
|
}
|
||||||
|
if ( c$orig?$num_pkts )
|
||||||
|
{
|
||||||
|
# these are set if use_conn_size_analyzer=T
|
||||||
|
# we can have counts in here even without duration>0
|
||||||
|
c$conn$orig_pkts = c$orig$num_pkts;
|
||||||
|
c$conn$orig_ip_bytes = c$orig$num_bytes_ip;
|
||||||
|
c$conn$resp_pkts = c$resp$num_pkts;
|
||||||
|
c$conn$resp_ip_bytes = c$resp$num_bytes_ip;
|
||||||
|
}
|
||||||
local service = determine_service(c);
|
local service = determine_service(c);
|
||||||
if ( service != "" )
|
if ( service != "" )
|
||||||
c$conn$service=service;
|
c$conn$service=service;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue