[Bro] how to merge rx and tx from different pcaps / slightly off-topic
Seth Hall
seth at icir.org
Wed Sep 9 18:55:40 PDT 2015
> On Sep 9, 2015, at 5:09 PM, Jeff Barber <jbarber at computer.org> wrote:
>
> If you don't specify --pseudo-realtime, BRO will apparently run connection timers based on the current wall clock time, comparing the wall clock with the start time recorded in conjunction with the packets in the pcap. This means it may see a connection start, then immediately expire it as having passed the session time limit. [What? That session is six months old!]
That’s actually not how Bro works, it uses the timestamps in the packets to drive it’s packet clock forward. Could you show how you’re running Bro? It sounds to me like you’re replaying traffic to and interface and then sniffing it.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list