[Bro] TimeStamp of Bro output
robin at icir.org
Thu Feb 7 14:56:53 PST 2013
Correct, and in particular log lines are explicitly not sorted by
On Thu, Feb 07, 2013 at 22:31 +0000, Vlad Grigorescu wrote:
> I believe what you're seeing is a result of how those timestamps are defined.
> In conn.log: "This is the time of the first packet."
> In http.log: "Timestamp for when the request happened."
> The conn record doesn't get written until the connection closes (or times out). It happens during the connection_state_remove event. By handling it at connection close, you get duration, byte/packet counts, etc.
> Also, the times for when the first packet was seen, and when the actual HTTP request was seen can be slightly off.
> Does this line up with what you're seeing?
>  - <http://www.bro-ids.org/documentation/scripts/base/protocols/conn/main.html#type-Conn::Info>
>  - <http://www.bro-ids.org/documentation/scripts/base/protocols/http/main.html#type-HTTP::Info>
>  - <http://www.bro-ids.org/documentation/scripts/base/event.bif.html#id-connection_state_remove>
> On Feb 7, 2013, at 5:11 PM, <keqhe at cs.wisc.edu>
> > HI Everyone,
> > We observe that the flows'timestamps in Bro log file are not strcitly in
> > time order. Also we note that for the same flow, the timestamp in conn.log
> > and the timestamp in http.log are not the same. Does anyone notice the
> > problem before and have ideas on this? Thanks!
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> Bro mailing list
> bro at bro-ids.org
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro