On Jan 28, 2017, at 9:15 AM, Dave Crawford
And the second print doesn’t execute:
$ bro -r test.pcap local ../test.bro
Entering the ActiveHTTP::Request when() block...
I have ‘exit_only_after_terminate’ set to true so it just hangs at this point until I
ctrl-c and I see the tmp files deleted.
Following on this ticket from the main Bro list, I wonder if we could change the behavior
of Bro slightly to make what Dave tried work? I *think* the problem here is that once the
packets run out, Bro's internal clock stops moving forward which causes all sorts of
trouble for timers and other stuff I'm sure.
What does everyone think about making the clock continue to move forward even after the
packet source runs dry? This especially makes sense when someone uses pseudo-realtime
because we can keep moving the clock at the rate it was moving (but not jump to current
time, we'd just do subtraction based on the time when the packet source ran dry).
The main problem I see with this idea is if someone reads a PCAP at full speed, what rate
do we make the clock continue ticking?
Does this idea make sense at all? I think we've had too many new Bro programmers get
frustrated with this behavior which worries me a little bit.
International Computer Science Institute
(Bro) because everyone has a network