Hi Dave, > But if I pass it a PCAP it exhibits the same condition where the when loop isn’t entered: > > bro -r test.pcap b.bro my guess would be that reading a pcap causes timing problems. Have you tried processing the pcap using --pseudo-realtime? Jan