[Bro] how to merge rx and tx from different pcaps / slightly off-topic

Seth Hall seth at icir.org
Thu Sep 10 09:37:55 PDT 2015

> On Sep 10, 2015, at 7:34 AM, Jeff Barber <jbarber at computer.org> wrote:
> Uggh... It appears that shady stuff my plugin is doing is responsible for my problem.

Is your plugin posted anywhere?

> I think the problem is that I have opened a live pkt src from within my plugin, but then also trying to read a pcap. Maybe I've seeded BRO with a later timestamp than those in the pcap? Having a hard time following the timer logic.

You’re doing both in your plugin?  That definitely isn’t a supported model.

> Is it possible to instantiate a per-PktSrc timer?

I assume you mean a per-pktsrc clock? (since timers have a meaning and are something different in Bro).  If you meant clock, then no, a Bro process has the notion of a singular clock.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list