Snort mailing list archives
Negative timestamp in PCAP from Snort
From: Research <research () nativemethods com>
Date: Thu, 30 Jul 2015 13:46:57 -0400
Hello, I am currently running Snort 2.9.7.2 on a Linux host. I checked the PCAP today and noticed an entry with a negative timestamp. This showed up AFTER an entry with a timestamp of 0. I understand that the first event is valid with the 0 timestamp, but I am confused by the negative one. AFAIK Snort does not buffer the output to PCAP’s but writes in real-time. What would cause a negative timestamp on an event ? Thanks ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Negative timestamp in PCAP from Snort Research (Jul 30)