On 13 Apr 2018, at 0:30, Aashish Sharma wrote:

> So I am seeing some weird stuff in my sample pcap of scanners. May be 
> too
> obvious and I am just not seeing why/how of it.

It's a straight forward answer but not completely obvious. :)

> Q. Why would connection_attempt event kick in after 36 minutes and 6 
> seconds ? (
> 06:13:48 - 05:37:42 ) ?

I bet that you have a jump in timestamps in your pcap.  Since Bro's 
internal clock is driven forward by seeing timestamps associated with 
packets it's possible that your pcap has a 36 minute jump in timestamps 
so Bro couldn't have possibly expired anything in the time before that 
because from its perspective there was an immediate jump in time.  You 
don't normally experience the effects of this behavior in traffic you're 
sniffing live because you will tend to have many packets every second so 
you see Bro's clock driven forward in very tiny increments as you would 
expect.  If you go a long time without receiving a packet is when stuff 
gets tricky.


Seth Hall * Corelight, Inc * www.corelight.com
bro-dev mailing list

Reply via email to