The move is now done and all functionality should work as before.
The user-interface for the mailing lists, and the archives are now
located at https://lists.zeek.org
If you notice anything amiss - please let me know.
On 22 Jul 2020, at 11:36, Johanna Amann wrote:
> Hello everyone,
> We are going to switch the zeek.org mailing lists to a new provider on
> Monday the 27th. This change means that the domain-part of all
> mailing lists is going to change from “zeek.org” to
> What changes does this entail / what does this mean for you:
> * All zeek.org mailing list domains will switch to lists.zeek.org. So,
> “zeek(a)zeek.xn--org-9o0a will be “zeek(a)lists.zeek.xn--org-9o0a afterwards.
> However, you will still be able to send messages to the old list
> address for the foreseeable future - they will automatically be
> forwarded to the new address
> If you are using mailing list filters to automatically sort Zeek
> mailing lists into folders, you will probably have to update them.
> * The mailing list archives and administrative interface will move to
> https://lists.zeek.org/. The old interface at
> http://mailman.icsi.berkeley.edu/mailman/listinfo will no longer be
> available; archives will also no longer be available at the old
> * Your subscription will automatically move, you do not have to take
> When will this happen:
> * This change will happen on Monday the 27th of July, starting at
> approximately 9am PDT/noon EDT/4pm GMT/5pm BST/6pm CEST.
> Messages sent to the Zeek mailing lists during this time will be
> held. We will try to make sure that any messages that happen to be
> during this timeframe will make it over after the migration, but your
> message will probably make it faster if you wait till we are done.
> * The change will take a few hours; I will send another message to the
> individual lists once migration is done.
> Why are we moving the mailing lists:
> The current setup that we are using is being retired and we have to
> switch to a new provider. We are switching to a new domain because
> makes our setup easier to maintain.
> If you have any questions or concerns, please let me know.
> Zeek-Announce mailing list
We are going to switch the zeek.org mailing lists to a new provider on
Monday the 27th. This change means that the domain-part of all zeek.org
mailing lists is going to change from “zeek.org” to
What changes does this entail / what does this mean for you:
* All zeek.org mailing list domains will switch to lists.zeek.org. For
this mailing list that means the address will be
However, you will still be able to send messages to the old list
address for the foreseeable future - they will automatically be
forwarded to the new address
If you are using mailing list filters to automatically sort Zeek
mailing lists into folders, you will probably have to update them.
* The mailing list archives and administrative interface will move to
https://lists.zeek.org/. The old interface at
http://mailman.icsi.berkeley.edu/mailman/listinfo will no longer be
available; archives will also no longer be available at the old address.
* Your subscription will automatically move, you do not have to take any
When will this happen:
* This change will happen on Monday the 27th of July, starting at
approximately 9am PDT/noon EDT/4pm GMT/5pm BST/6pm CEST.
Messages sent to the Zeek mailing lists during this time will be
held. We will try to make sure that any messages that happen to be sent
during this timeframe will make it over after the migration, but your
message will probably make it faster if you wait till we are done.
* The change will take a few hours; I will send another message to the
individual lists once migration is done.
Why are we moving the mailing lists:
The current setup that we are using is being retired and we have to
switch to a new provider. We are switching to a new domain because this
makes our setup easier to maintain.
If you have any questions or concerns, please let me know.
Sorry for bothering you:)
I’ve launched timemachine in my server for one week and itworked well.
But yesterday after my server(timemachine) rebooting, Ifound the data captured before server rebooting cannot be queried anymore.
I tried many queries with parameters “IP” or “Connection”,the result always only contain the data captured from the timeserver/timemachine restarting.
Could anyone tell if timemachine have this limitation? Orhow to work around?
I need to capture packets for three interfaces in one server.
but seems time-machine "device" configuration item cannot support multiple names, such as "eth1,eth2,eth3".
All I think about is launching multiple processes, but the disadvantage is the index and query could be shared.
Could you give some suggestions?
I want to use Timemachine in Bro,
I run Bro live, then suspicious IP's are generated. Then I want to retrieve
the payloads of those IP's packets (based on IP address and maybe
timestamp) for further analysis to make sure whether they are really
intrusion of false positive.
I have no idea about using Timemachine, is there any guide for this, step
by step to use and configure TM?
Is TM stable now so that I can rely on it in current PhD research?
My bro version: 2.3 running on ubuntu 14.04
Repository : ssh://firstname.lastname@example.org/time-machine
Branch 'topic/aashish/ipv6' now includes:
29aa931 just a test file to commit
be967c5 some code review
256b528 started some IPv6 implementation. Cannot display all the ipv6 packets yet, but does display the full ipv6 addresses in the class files.
d70ea95 started implementation of hash function from bro. It crashes early still and can loop forever. This commit is only to save work so far.
5900dc0 fixed the silly bug in the lookup function (called itself within itself) and attempted a fix on the deletion of the entries in old hash table. It seems to run to completion, but I have not checked rigorously yet. Index files in the indexes directory don't seem to be correct. The class files may not be entirely correct either, seems to only get most of the packets rather than nearly all of the packets. I am committing because this seems to run without segfault
e047c0b Some querying is working (with some adjust for VLAN tags) However, it does not take care of MPLS labels Also, the check for hash index conflicts has not been done The check that full sessions are being taken into account has not been done either
56b3e91 I seemed to have removed the major memory leaks. There are still some memory leaks, but they seem to come from the original Time Machine code, namely with the connections.
d3183a0 It does not seem to seg fault anymore. I removed the bug where I overdeleted (did delete  instead of delete)
7b03c40 made taking care of hash collisions more explicit
155a210 fixed some bugs mainly in Connection.cc and IndexField.cc runs with less dropped packets, still a sizeable amount of dropped packets though (10% with indexes) runs with less cpu usage, still rather large cpu usage (120% with indexes)
f356165 making this commit to save latest work. This commit attempted to fix the Hash bugs
cba1493 deleted two unnecessary files and made a change in IndexHash.cc to help avoid a segfault
da9bca8 added some gperftools capabilities (taken from bro code)
9646fd4 added the foundation in the CMake for cpu profiling via gperftools
070782b saving my work to try to get rid of permissions
737c7e9 updated the foundation for the gperftools, cpu profiler
1ed43c2 gperftools with CPU profiler seems to be working. You can put the ProfilerStart() and ProfilerStop() wherever you want, but be wary that putting them relatively close to each other may result in 0 samples.
f550318 Fixed one very hidden bug (in ConnectionIF3, IndexField.cc)
325409e removed tmlog by commenting them out (to better cpu performance)
5854443 Updated the README to include some instructions about using gperftools' cpu profiler
d0e18fe Changed the key struct in Connection.cc and Connection.hh to be less convoluted.
00557be Fixed a small bug in IndexField.hh (had to do with memcpy), and tried to add some support for Mac OS
6d6db31 Removed the many instances of gettimeofday and used a counter instead to avoid system calls (Aashish's idea)
74b8a32 Changed the format of the configuration file to allow the class files to be placed in different directories based on their bucket type, a suggestion made by Partha Also fixed querying for IPv4 for conn2, conn3, and conn4. Please note that querying for IPv6 for conn2, conn3, conn4 is currently not working.
fdf52f7 Fixed the implementation for querying for IPv6 for conn2/conn3/conn4 Fixed the regular expression so that it is more code friendly (less matching arguments needed).
40329f8 Fixed a bug in querying for longer IPv6 addresses. The regular expression for IPv6 addresses has been corrected
6fe29c1 Fixed getStr() method for IPv4
0175f2b Changed data structure for treating IPv4 addresses in Connection.hh for conn4 only. This change was made to help compete with original TM's simple comparisons for IPv4 addresses I will change it for conn3 and conn2 next. Also commented out unnecessary debug statements which take some CPU usage.
47cb41d Added the data structure for IPv4 for conn2 and conn3 to help compete with the original TM's method of comparing ip addresses
c41a7a1 Got rid of some unnecessary variables and warnings about multi-line comments
01d751e Commented out some printf debugging statements, and updated version number.
418a79a Implemented Jim's Precedence. It improves CPU usage slightly. Basically, the buckets are sorted by precedence after the config file is parsed. Then, the packets go through the buckets and break when it meets a match.
a6f204b Implemented Partha's indexdir and queryfiledir changes. Basically, if you forget to create the index and query directories, but they are on the config file, they will be created automatically, with a message that lets you know.
ed402cd Created Aashish's -v command line parameter which outputs the version number of Time Machine, and also updated the version number to 2-0
b08480e Added a profilepath option in the configuration file to place the gperftools cpu profiler's .prof file, if wanted Hopefully corrected the code for Apple compilers (I don't have an Apple compiler).
a29e64b Hopefully fixed the Apple compiler issues (I do not have an Apple compiler) Added some comments to code and change log
97e862b Updated some comments about prime number hash sizes and the use of the number in the counter when trying to write indxes to disk.
f5f4c9d Fixed a Memory-Illegal access error found by Coverity. This error occurred in Index.cc, and was in the original tm-master code (the ipv4 only implementation). Basically, iqe had a chance to be deleted, and then was to be accessed after that.
f984098 This is my final commit before leaving lab for this year.