[Bro] &expire_func/&create_expire question
Christian Kreibich
christian at whoop.org
Fri Nov 17 17:39:45 PST 2006
On Fri, 2006-11-17 at 16:43 -0800, Vern Paxson wrote:
> > Real time is out, since 1s hasn't yet passed. But network time has
> > advanced 91s before I see the callback!?
>
> Timer expiration is driven off of packet arrivals. Is there a lengthy
> lull in arriving packets that causes the 91 second delay?
Uh-oh. I've discovered that packets in that trace were not in
chronological order, sorry. So I switched to one that covers ~3 minutes,
definitely sorted and without substantial gaps, and now the delay is at
60s, when a burst of expirations is triggered.
I've uploaded the stdout output I get with that trace and the below code
at http://www.cl.cam.ac.uk/~cpk25/bro/expiration-log.txt.gz .
----
function expire(t: table[count] of count, idx:count): interval
{
print fmt("Expiring %d at %s", idx, network_time());
return 0 sec;
}
global state: table[count] of count &create_expire=1sec &expire_func=expire;
global idx: count = 0;
event new_packet(c: connection, p: pkt_hdr)
{
++idx;
state[idx] = idx;
print fmt("%s", network_time());
}
----
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list