Next: , Previous: udp analyzer, Up: Generic Connection Analysis



7.3.6 Connection summaries

The main output of conn is a one-line ASCII summary of each connection. By tradition, these summaries are written to a file with the name red.tag, where tag uniquely identifies the Bro session generating the logs. (“red” is mnemonic for “reduced,” from Bro's roots in performing protocol analysis for Internet traffic studies.)

The summaries are produced by the record_connection function, and have the following format:

<start> <duration> <service> B_o B_r A_l A_r <state> <flags> <addl>

start
corresponds to the connection's start time, as defined by start_time.


duration
gives the connection's duration, as defined by duration.


service
is the connection's service, as defined by service.


B_o, B_r
give the number of bytes sent by the originator and responder, respectively. These correspond to the size fields of the corresponding endpoint records.


A_l, A_r
correspond to the local and remote addresses that participated in the connection, respectively. The notion of which addresses are local is controlled by the global variable, if refined from its default value of empty. If local_nets has not been refined, then A_l is the connection responder and A_{r} is the connection originator.

Note: The format and defaults for A_l and A_r are unintuitive; they reflect the use of Bro's predecessor for analyzing Internet traffic patterns, and have not been changed so as to maintain compatibility with old, archived connection summaries.


state
reflects the state of the connection at the time the summary was written (which is usually either when the connection terminated, or when Bro terminated). The different states are summarized in the table below. The ASCII Name given in the Table is what appears in the red file; it is returned by the function. The Symbol is used when generating human-readable versions of the file—see hot_report.

For UDP connections, the analyzer reports connections for which both endpoints have been active as SF; those for which just the originator was active as S0; those for which just the responder was active as SHR; and those for which neither was active as OTH (this latter shouldn't happen!).


flags
reports a set of additional binary state associated with the connection:
L
indicates that the connection was initiated locally, i.e., the host corresponding to A_l initiated the connection. If L is missing, then the host corresponding to A_r initiated the connection.
U
indicates the connection involved one of the networks listed in the variable. The use of “U” for this indication (rather than “N”, say) is historical, as for the most part is the whole notion of “neighbor network.” Note that connection can have both L and U set (see next item).
X
is used to indicate that neither the “L” or “U” flags is associated with this connection. An explicit negative indication is needed to disambiguate the flags field from the subsequent addl field.


addl
lists additional information associated with the connection, i.e., as defined by .

Putting all of this together, here is an example of a red connection summary:

     931803523.006848 54.3776 http 7320 38891 206.132.179.35
     	128.32.162.134 RSTO X %103

The connection began at timestamp 931803523.006848 (18:18:43 hours GMT on July 12, 1999; see the cf utility for how to determine this) and lasted 54.3776 seconds. The service was HTTP (presuambly; this conclusion is based just on the responder's use of port 80/tcp). The originator sent 7,320 bytes, and the responder sent 38,891 bytes. Because the “L” flag is absent, the connection was initiated by host 128.32.162.134, and the responding host was 206.132.179.35. When the summary was written, the connection was in the “RSTO” state, i.e., after establishing the connection and transferring data, the originator had terminated it with a RST (this is unfortunately common for Web clients). The connection had neither the L or U flags associated with it, and there was additional information, summarized by the string “%103” (see the http analyzer for an explanation of this information).

Symbol Name Meaning
} S0 Connection attempt seen, no reply.
> S1 Connection established, not terminated.
> SF Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.
[ REJ Connection attempt rejected.
}2 S2 Connection established and close attempt by originator seen (but no reply from responder).
}3 S3 Connection established and close attempt by responder seen (but no reply from originator).
>] RSTO Connection established, originator aborted (sent a RST).
>[ RSTR Established, responder aborted.
}] RSTOS0 Originator sent a SYN followed by a RST, we never saw a SYN ACK from the responder.
<[ RSTRH Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.
>h SH Originator sent a SYN followed by a FIN, we never saw a SYN ACK fromthe responder (hence the connection was "half" open).
<h SHR Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.
?>? OTH No SYN seen, just midstream traffic (a "partial connection" that was not later closed).

Table 7.2: Summaries of connection states, as reported in red files