As I am aware, Bro has steadily moved toward a multi-threaded approach to logging at the least. For an analyzer that I've been developing as part of my research, I am curious to know if network_time remains coherent with the network time given in pcap files and live capture. If not, is there a more accurate variable available?
Of note: I've never really observed a discrepancy between the pcap files and reported network time through the event system. Gilbert Clark and I had a small discussion on this and I feel that from what I've seen in the source code, network_time is likely fine, but I thought I'd get the answer from the folk who know the source quite a bit better than I do. Best, -- James Swaro* * Internetworking Research Group Ohio University
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
