[Bro] how to merge rx and tx from different pcaps / slightly off-topic
Seth Hall
seth at icir.org
Thu Sep 10 09:37:55 PDT 2015
> On Sep 10, 2015, at 7:34 AM, Jeff Barber <jbarber at computer.org> wrote:
>
> Uggh... It appears that shady stuff my plugin is doing is responsible for my problem.
Is your plugin posted anywhere?
> I think the problem is that I have opened a live pkt src from within my plugin, but then also trying to read a pcap. Maybe I've seeded BRO with a later timestamp than those in the pcap? Having a hard time following the timer logic.
You’re doing both in your plugin? That definitely isn’t a supported model.
> Is it possible to instantiate a per-PktSrc timer?
I assume you mean a per-pktsrc clock? (since timers have a meaning and are something different in Bro). If you meant clock, then no, a Bro process has the notion of a singular clock.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list