[Bro] TimeStamp of Bro output
robin at icir.org
Fri Feb 8 15:11:31 PST 2013
On Fri, Feb 08, 2013 at 17:04 -0600, keqhe at cs.wisc.edu wrote:
> The important info we want to know is that---there are more than
> 50,000,000 flows in the trace files. SO we are not sure whether uid filed
> is really UNIQUE.
Indeed, that's the idea behind it. It's unique and identifies flows
across all logs (and even across Bro runs).
Internally it's a hash value so there's a tiny chance for a collision,
but it's a 64-bit value space so you should be fine.
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro