The main output of conn
is a one-line ASCII summary
of each connection. By tradition, these summaries are written to
a file with the name conn.tag.log
, where tag uniquely
identifies the Bro session generating the logs.
The summaries are produced by the record_connection
function,
and have the following format:
<
start> <
duration> <
local IP> <
remote IP> <
service> <
local port> <
remote port> <
protocol> <
org bytes sent>, <
res bytes sent> <
state> <
flags> <
tag>
start_time
.
duration
.
local_nets
, which has a default value of empty. If
local_nets
has not been redefined, then local IP is the
connection responder and remote IP is the connection originator.
service
.
size
fields of the corresponding endpoint
records.
Name Meaning S0
Connection attempt seen, no reply. S1
Connection established, not terminated. SF
Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be. REJ
Connection attempt rejected. S2
Connection established and close attempt by originator seen (but no reply from responder). S3
Connection established and close attempt by responder seen (but no reply from originator). RSTO
Connection established, originator aborted (sent a RST). RSTR
Established, responder aborted. RSTOS0
Originator sent a SYN followed by a RST, we never saw a SYN ACK from the responder. RSTRH
Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator. SH
Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open). SHR
Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator. OTH
No SYN seen, just midstream traffic (a "partial connection" that was not later closed). Table 7.2: Summaries of connection states, as reported in
conn.log
files
The ASCII Name
given in the Table is
what appears in the conn.tag.log
log file; it is returned by the conn_state
function. The Symbol
is used when generating human-readable versions
of the file—see hot-report script.
For UDP connections, the analyzer reports connections for which both
endpoints have been active as SF
; those for which just the originator
was active as S0
; those for which just the responder was active
as SHR
; and those for which neither was active as OTH
(this
latter shouldn't happen!).
L
L
is missing, then the host corresponding to A_r initiated the connection.
U
neighbor_nets
variable. The use
of “U
” for this indication (rather than “N
”, say) is
historical, as for the most part is the whole notion of “neighbor network.”
Note that connection can have both L
and U
set (see next item).
X
L
”
or “U
” flags is associated with this connection.
Putting all of this together, here is an example of a conn.log
connection
summary:
931803523.006848 54.3776 http 7320 38891 206.132.179.35 128.32.162.134 RSTO X %103
The connection began at timestamp 931803523.006848 (18:18:43 hours GMT
on July 12, 1999; see the cf
utility for how to determine this)
and lasted 54.3776 seconds. The service was HTTP (presumably; this conclusion
is based just on the responder's use of port 80/tcp
).
The originator sent 7,320 bytes, and the responder sent 38,891 bytes.
Because the “L
” flag is absent, the connection was initiated by
host 128.32.162.134, and the responding host was 206.132.179.35. When
the summary was written, the connection was in the “RSTO
” state,
i.e., after establishing the connection and transferring data, the originator
had terminated it with a RST (this is unfortunately common for Web clients). The connection had neither
the L
or U
flags associated with it, and there was additional
information, summarized by the string “%103
” (see the
http
analyzer for an explanation of this information).