The conn analyzer performs generic connection analysis:
connection start time, duration, sizes, hosts, and the like. You don't
in general load analyzer directly, but instead do so implicitly
by loading the tcp, udp, or icmp
analyzers.
Consequently, analyzer doesn't load a capture_filter value
by itself, but instead uses whatever is set up by these more specific
analyzers.
conn analyzes a number of events related to connections beginning
or ending. We first describe the connection record data type that
keeps track of the state associated with each connection (See connection record),
and then we detail the events in Generic TCP connection events. The main output of its
analysis are one-line connection summaries, which we describe in
Connection summaries, and in Connection functions we give an overview
of the different callable functions provided by conn.
conn also loads three other Bro modules: the hot
and scan analyzers, and the port_name utility
module.