Need a higher resolution timestamp #1
Comments
|
If we don't worry about backwards compatibility this is easy: we just redefine htp_time_t. This would change the declarations of htp_connp_req_data, htp_connp_res_data, and htp_connp_close. It would also break the Ruby bindings but that would be an easy fix. The part I'm not sure of is what would need to change on the IronBee side or what other users of libHTP are out there. |
|
Only suricata is a known user, but that is the 0.2.x branch, which should not be updated. IronBee already tracks microsec itself and ignores the timestamp in libhtp. It would be interesting info from the parser, though, so we could better track time as data arrives. For example, delta between headers, etc for profiling. Though, it is all probably moot as the data acquisition layer in ironbee is probably buffering this anyhow in most cases. |
|
I'm happy to make the libHTP changes. Let me know if I should. |
|
Done in c40c815 |
Timestamps are currently defined as htp_time_t (uint32_t) which only has second resolution. Timestamps should be defined with at least micorsecond resolution ("struct timeval" or similar).
The text was updated successfully, but these errors were encountered: