[Bro] TimeStamp of Bro output

Robin Sommer robin at icir.org
Fri Feb 8 15:11:31 PST 2013



On Fri, Feb 08, 2013 at 17:04 -0600, keqhe at cs.wisc.edu wrote:

> The important info we want to know is that---there are more than
> 50,000,000 flows in the trace files. SO we are not sure whether uid filed
> is really UNIQUE.

Indeed, that's the idea behind it. It's unique and identifies flows
across all logs (and even across Bro runs).

Internally it's a hash value so there's a tiny chance for a collision,
but it's a 64-bit value space so you should be fine.

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list