TCP connection logs are generated by tcp.bro. The summaries are written to stdout, one line per connection: start-time duration protocol orig-bytes resp-bytes \ local-addr remote-addr state flags additional start-time: timestamp of when the connection's first packet was observed duration: time until connection finished, in seconds, or '?' if not determined protocol: TCP protocol, if well-known port; or portmapper request orig-bytes: total bytes sent by originator. Computed from difference between starting and ending sequence numbers, so sometimes wrong (if wrong, the values tend to be erroneously large) resp-bytes: same for bytes sent by connection responder local-addr: IP address of local end of connection remote-addr: IP address of remote end of connection Note that these would make more sense as originator/responder, but for historical reasons they're defined in terms of "local" and "remote", where "local" is specified by the "local_nets" set in hot.bro. To pull out the originator and responder addresses requires looking at the "flags" field to see whether the connection originated locally. state: final connection state (see below) flags: some characteristics of the connection. The most important is the 'L' flag, which if present indicates that the connection was initiated by the local address (see above); otherwise it was initiated by the remote address. additional: protocol-specific additional information, such as the FTP session identifier, telnet user name, finger request, or portmapper results. The scripts "hot-report" and "mon-report" (in the aux/scripts/ directory) generate readable versions of these connection summaries. They include a mnemonic indicating the connection's state. Here is the list of abbreviations used: Symbol Name Meaning ------ ------- ------------------- } S0 Initial SYN seen, no reply seen ("unanswered") > S1 Initial SYN handshake seen ("established") > SF Established and normal FIN handshake seen for termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts, while for SF there will be. [ REJ Initial SYN elicited RST in reply ("rejected") }2 S2 Established and FIN from originator only seen }3 S3 Established and FIN from responder only seen >] RSTO Established, originator sent a RST to terminate >[ RSTR Established, responder sent a RST to terminate }] RSTOS0 Originator sent a SYN followed by a RST, we never saw a SYN ack from the responder <[ RSTRH Responder sent a SYN ack followed by a RST, we never saw a SYN from the originator >h SH Originator sent a SYN followed by a FIN, we never saw a SYN ack from the responder (so "half" open) ? OTH No SYN seen, just midstream traffic The sundry weird states can arise from broken TCPs, but also from split routing in which Bro just sees one side of a connection. For UDP, if we see a request but no reply, that's state S0 ("}"); a request followed by a reply is SF (">"); and a reply but no request is SHR ("