On 13 Apr 2018, at 0:30, Aashish Sharma wrote:
> So I am seeing some weird stuff in my sample pcap of scanners. May be > too > obvious and I am just not seeing why/how of it. It's a straight forward answer but not completely obvious. :) > Q. Why would connection_attempt event kick in after 36 minutes and 6 > seconds ? ( > 06:13:48 - 05:37:42 ) ? I bet that you have a jump in timestamps in your pcap. Since Bro's internal clock is driven forward by seeing timestamps associated with packets it's possible that your pcap has a 36 minute jump in timestamps so Bro couldn't have possibly expired anything in the time before that because from its perspective there was an immediate jump in time. You don't normally experience the effects of this behavior in traffic you're sniffing live because you will tend to have many packets every second so you see Bro's clock driven forward in very tiny increments as you would expect. If you go a long time without receiving a packet is when stuff gets tricky. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
