[Bro] how to merge rx and tx from different pcaps / slightly off-topic
Jeff Barber
jbarber at computer.org
Thu Sep 10 04:34:43 PDT 2015
Seth, Thanks for the clarification.
Uggh... It appears that shady stuff my plugin is doing is responsible for
my problem.
I think the problem is that I have opened a live pkt src from within my
plugin, but then also trying to read a pcap. Maybe I've seeded BRO with a
later timestamp than those in the pcap? Having a hard time following the
timer logic.
Is it possible to instantiate a per-PktSrc timer?
Anyway, sorry to be spewing misinformation.
On Wed, Sep 9, 2015 at 9:55 PM, Seth Hall <seth at icir.org> wrote:
>
> > On Sep 9, 2015, at 5:09 PM, Jeff Barber <jbarber at computer.org> wrote:
> >
> > If you don't specify --pseudo-realtime, BRO will apparently run
> connection timers based on the current wall clock time, comparing the wall
> clock with the start time recorded in conjunction with the packets in the
> pcap. This means it may see a connection start, then immediately expire it
> as having passed the session time limit. [What? That session is six months
> old!]
>
> That’s actually not how Bro works, it uses the timestamps in the packets
> to drive it’s packet clock forward. Could you show how you’re running
> Bro? It sounds to me like you’re replaying traffic to and interface and
> then sniffing it.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150910/063a5282/attachment.html
More information about the Bro
mailing list