[Bro] TimeStamp of Bro output
Robin Sommer
robin at icir.org
Thu Feb 7 14:56:53 PST 2013
Correct, and in particular log lines are explicitly not sorted by
time.
Robin
On Thu, Feb 07, 2013 at 22:31 +0000, Vlad Grigorescu wrote:
> Hi,
>
> I believe what you're seeing is a result of how those timestamps are defined.
>
> In conn.log[1]: "This is the time of the first packet."
> In http.log[2]: "Timestamp for when the request happened."
>
> The conn record doesn't get written until the connection closes (or times out). It happens during the connection_state_remove[3] event. By handling it at connection close, you get duration, byte/packet counts, etc.
>
> Also, the times for when the first packet was seen, and when the actual HTTP request was seen can be slightly off.
>
> Does this line up with what you're seeing?
>
> --Vlad
>
> [1] - <http://www.bro-ids.org/documentation/scripts/base/protocols/conn/main.html#type-Conn::Info>
> [2] - <http://www.bro-ids.org/documentation/scripts/base/protocols/http/main.html#type-HTTP::Info>
> [3] - <http://www.bro-ids.org/documentation/scripts/base/event.bif.html#id-connection_state_remove>
>
> On Feb 7, 2013, at 5:11 PM, <keqhe at cs.wisc.edu>
> wrote:
>
> > HI Everyone,
> >
> > We observe that the flows'timestamps in Bro log file are not strcitly in
> > time order. Also we note that for the same flow, the timestamp in conn.log
> > and the timestamp in http.log are not the same. Does anyone notice the
> > problem before and have ideas on this? Thanks!
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list