[Bro] TimeStamp of Bro output

Vlad Grigorescu vladg at cmu.edu
Thu Feb 7 14:31:20 PST 2013


I believe what you're seeing is a result of how those timestamps are defined.

In conn.log[1]: "This is the time of the first packet."
In http.log[2]: "Timestamp for when the request happened."

The conn record doesn't get written until the connection closes (or times out). It happens during the connection_state_remove[3] event. By handling it at connection close, you get duration, byte/packet counts, etc.

Also, the times for when the first packet was seen, and when the actual HTTP request was seen can be slightly off.

Does this line up with what you're seeing?


[1] - <http://www.bro-ids.org/documentation/scripts/base/protocols/conn/main.html#type-Conn::Info>
[2] - <http://www.bro-ids.org/documentation/scripts/base/protocols/http/main.html#type-HTTP::Info>
[3] - <http://www.bro-ids.org/documentation/scripts/base/event.bif.html#id-connection_state_remove>

On Feb 7, 2013, at 5:11 PM, <keqhe at cs.wisc.edu>

> HI Everyone,
> We observe that the flows'timestamps in Bro log file are not strcitly in
> time order. Also we note that for the same flow, the timestamp in conn.log
> and the timestamp in http.log are not the same. Does anyone notice the
> problem before and have ideas on this?  Thanks!
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list