[Bro] Scheduling events are immediatly executed
Jan Muthreich
jan.muthreich at consistec.de
Tue Dec 8 23:51:42 PST 2015
Thank you. I have an Input READER_ASCII in use, which need Input::force_update. It reads from a linux pipe. How can we schedule this operation if no network traffic is in the line?
Mit freundlichen Grüßen
Jan Muthreich
-----Original Message-----
From: Robin Sommer [mailto:robin at icir.org]
Sent: Tuesday, December 8, 2015 5:23 PM
To: Jan Muthreich <jan.muthreich at consistec.de>
Cc: bro at bro.org
Subject: Re: [Bro] Scheduling events are immediatly executed
On Tue, Dec 08, 2015 at 15:35 +0000, Jan Muthreich wrote:
> I'm working with BRO and have a problem. I want to use scheduling but
> it doesn't seem to work. Alle tests, that I wrote, are immidiatly
> ready.
One thing to keep in mind for schedule is that it's relative to "network time", i.e., the packet timestamps in the trace. When you say 100s, it's not going to wait for 100s of wall clock time to pass, but will trigger the event once the packet timestmaps have covered 100s.
When working offline from a trace, like in your case, that often feels like "immediately" if the input is short. Could that be it?
Robin
--
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro
mailing list