[Bro-Dev] semantics of ts field for known_services?

Seth Hall seth at icir.org
Wed Nov 30 20:06:39 PST 2011

On Nov 30, 2011, at 6:03 PM, Vern Paxson wrote:

> Is this field meant to capture when the determination was made that a given
> service is running somewhere?  For a slice-trace I'm analyzing, I see it's
> on the ACK by the client of the first line sent back by the server.  Not
> quite what I would expect, but also not necessarily any sort of issue.

The semantics of that field are a little fuzzy.  If a protocol was detected, the field contains the time that the analyzer generated the ProtocolConfirmation.  If no protocol was detected, a scheduled event is set for several minutes (I think 5 by default) so that Bro can wait and see if a better connection where a protocol is detected comes along before it goes to log the service.  Hm, I guess the semantics are pretty clear, the ts field always contains the time when the log record was written.  Determining why that happened when it did is a bit fuzzy.


