[Oisf-users] Log entry timestamp question

Peter Manev petermanev at gmail.com
Thu Mar 15 13:06:43 UTC 2018 

On Tue, Mar 13, 2018 at 1:23 PM, Steve Castellarin
<steve.castellarin at gmail.com> wrote:
> Hi Peter, no the timestamps are still not showing the microseconds - no
> matter what I change in the Napatech configuration.
>

Not showing microseconds or still showing only the pattern (if i
understood correctly what you mentioned earlier ) -
yyyy-mm-ddThh:mm:ss.000001-0500
?

As they do show up as expected at least in the test set ups (this one
below is with an Intel NIC) -
"timestamp":"2018-03-15T11:22:43.869423+0100"
"timestamp":"2018-03-15T11:22:43.923182+0100"
"timestamp":"2018-03-15T11:22:46.677016+0100"
"timestamp":"2018-03-15T11:23:02.030184+0100"
"timestamp":"2018-03-15T11:23:09.378716+0100"


> Steve
>
> On Tue, Mar 13, 2018, 3:25 AM Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Fri, Dec 29, 2017 at 3:24 PM, Steve Castellarin
>> <steve.castellarin at gmail.com> wrote:
>> > Hey Mike,
>> >
>> > Thanks for the link.  I've had the Napatech configuration now for a
>> > couple
>> > years, plus.  I did double check my NTSERVICE.ini file and do see the
>> > TimeSyncReferencePriority setting to "OSTime" as noted on the page.  I
>> > did
>> > open a ticket with Napatech about the millisecond question, and they
>> > believed it was a Suricata issue and possibly upgrading to 4.x (I was
>> > previously running 3.1.1) would resolve the issue.  So far no luck.
>> >
>>
>> Did you mange to get it working as expected?
>>
>>
>> > On Fri, Dec 29, 2017 at 9:15 AM, Michael Stone <mstone at mathom.us> wrote:
>> >>
>> >> On Thu, Dec 28, 2017 at 03:59:55PM -0700, James Moe wrote:
>> >>>
>> >>>  No. There is a feature request
>> >>> <https://redmine.openinfosecfoundation.org/issues/1469> that addresses
>> >>> this issue.
>> >>
>> >>
>> >> That's something different. I think the timestamp weirdness (bogus
>> >> milliseconds) is an artifact of the napatech cards. (Ironically,
>> >> because
>> >> they support high precision timestamping.) Steve, did you follow the
>> >> instructions at
>> >> http://suricata.readthedocs.io/en/latest/capture-hardware/napatech.html
>> >> (specifically, the part about TimeSyncReferencePriority)?
>> >>
>> >> Mike Stone
>> >
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >
>> > Conference: https://suricon.net
>> > Trainings: https://suricata-ids.org/training/
>>
>>
>>
>> --
>> Regards,
>> Peter Manev



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list