[Bro] How to parse bro decimal timestamps?

Brad Cox bradjcox at gmail.com
Sat Apr 16 16:09:57 PDT 2016


Perfect. Thanks so much!

Dr. Brad J. Cox    Cell: 703-594-1883 Skype: dr.brad.cox

> On Apr 16, 2016, at 6:43 PM, Chris Walsh <chris at cwalsh.org> wrote:
> 
> The value is the number of seconds since the epoch, including a fractional portion.  Your problem with Java dealing with it is likely that Java wants the number of *milliseconds* since the epoch, so you should multiply what Bro gives you by 1000 (and dropping the fractional part)  before converting it with whatever Java code you’re working with. 
> 
> 
> Chris
> 
> 
>> On Apr 16, 2016, at 5:25 PM, Brad Cox <bradjcox at gmail.com> wrote:
>> 
>> Java code would be nice, but a ordinary description of how a decimal date relates to standard dates would do. I'm familiar with Java/Unix conventions where a long integer specifies seconds since the Unix epoch (Jan 1970). But I've tried converting the bro decimal to long and converting that to a date. That gives a date sometime in 1970 which clearly isn't right. And what do the fractional values mean? Milliseconds perhaps?
>> 
>> Dr. Brad J. Cox    Cell: 703-594-1883 Skype: dr.brad.cox
>> 
>> 
>> 
>> 
>>> On Apr 16, 2016, at 4:44 PM, Brad Cox <bradjcox at gmail.com> wrote:
>>> 
>>> Need to parse dates in java; using this in a spark streaming analytics pipeline.
>>> 
>>> Dr. Brad J. Cox    Cell: 703-594-1883 Skype: dr.brad.cox
>>> 
>>> 
>>> 
>>> 
>>>> On Apr 16, 2016, at 4:31 PM, Chris Walsh <chris at cwalsh.org> wrote:
>>>> 
>>>> Depends on what you’re reading the logs with.  
>>>> 
>>>> You could use bro-cut with the ‘-d’ flag, to do the conversion for you.
>>>> 
>>>> If you just need to do one-off date conversion:
>>>> 
>>>> Using GNU date (takes date as is):
>>>> 
>>>> $ date --date='@1459774793.429104’
>>>> Mon Apr  4 12:59:53 UTC 2016
>>>> 
>>>> OSX (wants the date as an integer)
>>>> 
>>>> $ foobar=`echo 1459774793.429104 | cut -d. -f1`
>>>> $ date -r $foobar
>>>> Mon Apr  4 07:59:53 CDT 2016
>>>> 
>>>> 
>>>> If you’re snarfing the timestamps into your own code, then it depends on what language/libraries you’re using.  
>>>> 
>>>> 
>>>> 
>>>>> On Apr 16, 2016, at 3:05 PM, Brad Cox <bradjcox at gmail.com> wrote:
>>>>> 
>>>>> How do I turn the timestamp (ts) field in this example into a standard date format (java or unix dates for example?)
>>>>> 
>>>>> set_separator	,
>>>>> #empty_field	(empty)
>>>>> #unset_field	-
>>>>> #path	conn
>>>>> #open	2016-04-04-09-00-04
>>>>> #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
>>>>> #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
>>>>> 1459774793.429104	CZgDTe31Z6ynNuzgN7	fe80::c874:93f:5b4e:c1e1	64648	ff02::1:3	5355	udp	dns	0.412428	44	0	S0	F	F	0	D	2	140	0	0	(empty)
>>>>> 1459774793.429113	Ci77TT3Kp4dNmhAYc1	172.16.2.33	64648	224.0.0.252	5355	udp	dns	0.412434	44	0	S0	F	F	0	D	2	100	0	0	(empty)
>>>>> 
>>>> 
>>> 
>> 
> 




More information about the Bro mailing list