[Bro-Dev] semantics of ts field for known_services?

Vern Paxson vern at icir.org
Wed Nov 30 15:03:00 PST 2011


Is this field meant to capture when the determination was made that a given
service is running somewhere?  For a slice-trace I'm analyzing, I see it's
on the ACK by the client of the first line sent back by the server.  Not
quite what I would expect, but also not necessarily any sort of issue.

		Vern


More information about the bro-dev mailing list