[Bro] policy event engine

Vern Paxson vern at icir.org
Fri Jan 21 08:17:09 PST 2011

> > Can you understand me (at least briefly) what is the reason of "...the
> > notion of time in Bro is driven forward by the packet timestamps...", why
> > not internal clock?
> I expect that it was an optimization, but you'll have to wait for a response from Robin or Vern to clarify that point.

Yes, because in a typical deployment environment, many packets stream in
every second, and they arrive via pcap with timestamps attached.  Plus,
we haven't perceived an important benefit from having precise timers; for
typical uses (keeping tables from growing too large), imprecise timers are
generally fine.


More information about the Bro mailing list