- ts:
time
&log
This is the time of the first packet.
- uid:
string
&log
A unique identifier of the connection.
- id:
conn_id
&log
The connection’s 4-tuple of endpoint addresses/ports.
- proto:
transport_proto
&log
The transport layer protocol of the connection.
- service:
string
&log
&optional
An identification of an application protocol being sent over
the connection.
- duration:
interval
&log
&optional
How long the connection lasted. For 3-way or 4-way connection
tear-downs, this will not include the final ACK.
- orig_bytes:
count
&log
&optional
The number of payload bytes the originator sent. For TCP
this is taken from sequence numbers and might be inaccurate
(e.g., due to large connections).
- resp_bytes:
count
&log
&optional
The number of payload bytes the responder sent. See
orig_bytes.
- conn_state:
string
&log
&optional
conn_state |
Meaning |
S0 |
Connection attempt seen, no reply. |
S1 |
Connection established, not terminated. |
SF |
Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be. |
REJ |
Connection attempt rejected. |
S2 |
Connection established and close attempt by originator seen (but no reply from responder). |
S3 |
Connection established and close attempt by responder seen (but no reply from originator). |
RSTO |
Connection established, originator aborted (sent a RST). |
RSTR |
Responder sent a RST. |
RSTOS0 |
Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder. |
RSTRH |
Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator. |
SH |
Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was “half” open). |
SHR |
Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator. |
OTH |
No SYN seen, just midstream traffic (a “partial connection” that was not later closed). |
- local_orig:
bool
&log
&optional
If the connection is originated locally, this value will be T.
If it was originated remotely it will be F. In the case that
the Site::local_nets
variable is undefined, this
field will be left empty at all times.
- local_resp:
bool
&log
&optional
If the connection is responded to locally, this value will be T.
If it was responded to remotely it will be F. In the case that
the Site::local_nets
variable is undefined, this
field will be left empty at all times.
- missed_bytes:
count
&log
&default
= 0
&optional
Indicates the number of bytes missed in content gaps, which
is representative of packet loss. A value other than zero
will normally cause protocol analysis to fail but some
analysis may have been completed prior to the packet loss.
- history:
string
&log
&optional
Records the state history of connections as a string of
letters. The meaning of those letters is:
Letter |
Meaning |
s |
a SYN w/o the ACK bit set |
h |
a SYN+ACK (“handshake”) |
a |
a pure ACK |
d |
packet with payload (“data”) |
f |
packet with FIN bit set |
r |
packet with RST bit set |
c |
packet with a bad checksum (applies to UDP too) |
t |
packet with retransmitted payload |
w |
packet with a zero window advertisement |
i |
inconsistent packet (e.g. FIN+RST bits set) |
q |
multi-flag packet (SYN+FIN or SYN+RST bits set) |
^ |
connection direction was flipped by Bro’s heuristic |
If the event comes from the originator, the letter is in
upper-case; if it comes from the responder, it’s in
lower-case. The ‘a’, ‘d’, ‘i’ and ‘q’ flags are
recorded a maximum of one time in either direction regardless
of how many are actually seen. ‘f’, ‘h’, ‘r’ and
‘s’ can be recorded multiple times for either direction
if the associated sequence number differs from the
last-seen packet of the same flag type.
‘c’, ‘t’ and ‘w’ are recorded in a logarithmic fashion:
the second instance represents that the event was seen
(at least) 10 times; the third instance, 100 times; etc.
- orig_pkts:
count
&log
&optional
Number of packets that the originator sent.
Only set if use_conn_size_analyzer
= T.
- orig_ip_bytes:
count
&log
&optional
Number of IP level bytes that the originator sent (as seen on
the wire, taken from the IP total_length header field).
Only set if use_conn_size_analyzer
= T.
- resp_pkts:
count
&log
&optional
Number of packets that the responder sent.
Only set if use_conn_size_analyzer
= T.
- resp_ip_bytes:
count
&log
&optional
Number of IP level bytes that the responder sent (as seen on
the wire, taken from the IP total_length header field).
Only set if use_conn_size_analyzer
= T.
- tunnel_parents:
set
[string
] &log
&optional
If this connection was over a tunnel, indicate the
uid values for any encapsulating parent connections
used over the lifetime of this inner connection.
- orig_l2_addr:
string
&log
&optional
(present if policy/protocols/conn/mac-logging.bro is loaded)
Link-layer address of the originator, if available.
- resp_l2_addr:
string
&log
&optional
(present if policy/protocols/conn/mac-logging.bro is loaded)
Link-layer address of the responder, if available.
- vlan:
int
&log
&optional
(present if policy/protocols/conn/vlan-logging.bro is loaded)
The outer VLAN for this connection, if applicable.
- inner_vlan:
int
&log
&optional
(present if policy/protocols/conn/vlan-logging.bro is loaded)
The inner VLAN for this connection, if applicable.