Original PCAP timestamps instead of timeofday-generated #113
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi, @adulau. Maybe I need to make some fixes to the code? |
|
Sorry for the late merge, thank you very much for the contribution! |
|
No problem. Thank you so much for review and feedback! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I suggest to change PCAP logger code cause of bad timestamps. Timeofday-generated timestamps are not so good for zeek or any dpi parsing (the packages are not in the right order). Also original timestamps seems to be better in PCAP cause it helps to see the real time of the package (for example in Wireshark).
For example on one malware traffic (Smert Ransomware):
PCAP source: https://app.any.run/tasks/5b2f8a32-62ea-47b1-9c3a-b9b474fb0774/
Original pcap timestamps (Wireshark with SSLKeyLogFile specified in settings):
Current ssldump version (gettimeofday-generated timestamps - decrypted at 7 Aug):
This PR's version:
This feature may be very helpful for some malware traffic analysts in future and seems to be more correctly. Please correct me if I'm wrong somewhere.