[Bro] Surprising behavior when reading packets from file vs interface.
Robin Sommer
robin at icir.org
Mon Sep 27 09:23:55 PDT 2010
On Fri, Sep 24, 2010 at 11:41 -0700, you wrote:
> 1. run thru a tracefile as rapidly as possible for testing,
> 2. keep the notion of current_time() accurate to wall time, and
> 3. run broccoli
Even without the problematic test, I'm not sure this will give you
realistic results. If Bro reads the trace as quickly as possible,
that can delay processing remote events more than in a live setting
where it will likely have more slack.
Here's another idea: it seems the only problem with pseudo-realtime
is that current_time() doesn't return wall time but the adjusted
time, right? Internally, current_time() actually takes a second
parameter indicating which of the two the caller wants. That option
is not exposed to the script layer, but you could add a new function
wall_time() or so that does that (see src/bro.bif, current_time()).
One more thought: Bro already comes with a script remote-ping.bro
that does periodic pings between two Bro's and measures the delay
for those. Depending on what exactly you want to measure, that might
already be sufficient?
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list