Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Negative timestamp in PCAP from Snort

From: Research <research () nativemethods com>
Date: Thu, 30 Jul 2015 13:46:57 -0400
Hello,

I am currently running Snort 2.9.7.2 on a Linux host.  I checked the PCAP today and noticed an entry with a negative 
timestamp.  This showed up AFTER an entry with a timestamp of 0.

I understand that the first event is valid with the 0 timestamp, but I am confused by the negative one.  AFAIK Snort 
does not buffer the output to PCAP’s but writes in real-time.  What would cause a negative timestamp on an event ?

Thanks
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: