johanna at icir.org
Thu Jun 9 09:57:41 PDT 2016
if you run Bro on a pcap, the timestamp in the logfile actually are driven
by the timestamps in the pcap file.
If you just do, e.g. bro -r [bro source path]/testing/btest/Traces/irc-dcc-send.trace
you will get timestamps from 2011, when that pcap file was generated.
On Wed, Jun 08, 2016 at 10:23:25PM -0700, Dk Jack wrote:
> Seems like the timestamp in the bro log file come from the system/wall
> clock. Is there for bro to force it to use the timestamp in the pcap file?
> Bro mailing list
> bro at bro-ids.org
More information about the Bro