[Bro] TimeStamp of Bro output

Robin Sommer robin at icir.org
Thu Feb 7 14:56:53 PST 2013


Correct, and in particular log lines are explicitly not sorted by
time.

Robin

On Thu, Feb 07, 2013 at 22:31 +0000, Vlad Grigorescu wrote:

> Hi,
> 
> I believe what you're seeing is a result of how those timestamps are defined.
> 
> In conn.log[1]: "This is the time of the first packet."
> In http.log[2]: "Timestamp for when the request happened."
> 
> The conn record doesn't get written until the connection closes (or times out). It happens during the connection_state_remove[3] event. By handling it at connection close, you get duration, byte/packet counts, etc.
> 
> Also, the times for when the first packet was seen, and when the actual HTTP request was seen can be slightly off.
> 
> Does this line up with what you're seeing?
> 
>   --Vlad
> 
> [1] - <http://www.bro-ids.org/documentation/scripts/base/protocols/conn/main.html#type-Conn::Info>
> [2] - <http://www.bro-ids.org/documentation/scripts/base/protocols/http/main.html#type-HTTP::Info>
> [3] - <http://www.bro-ids.org/documentation/scripts/base/event.bif.html#id-connection_state_remove>
> 
> On Feb 7, 2013, at 5:11 PM, <keqhe at cs.wisc.edu>
>  wrote:
> 
> > HI Everyone,
> > 
> > We observe that the flows'timestamps in Bro log file are not strcitly in
> > time order. Also we note that for the same flow, the timestamp in conn.log
> > and the timestamp in http.log are not the same. Does anyone notice the
> > problem before and have ideas on this?  Thanks!
> > 
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list