-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need a higher resolution timestamp #1
Comments
If we don't worry about backwards compatibility this is easy: we just redefine htp_time_t. This would change the declarations of htp_connp_req_data, htp_connp_res_data, and htp_connp_close. It would also break the Ruby bindings but that would be an easy fix. The part I'm not sure of is what would need to change on the IronBee side or what other users of libHTP are out there. |
Only suricata is a known user, but that is the 0.2.x branch, which should not be updated. IronBee already tracks microsec itself and ignores the timestamp in libhtp. It would be interesting info from the parser, though, so we could better track time as data arrives. For example, delta between headers, etc for profiling. Though, it is all probably moot as the data acquisition layer in ironbee is probably buffering this anyhow in most cases. |
I'm happy to make the libHTP changes. Let me know if I should. |
Done in c40c815 |
Timestamps are currently defined as htp_time_t (uint32_t) which only has second resolution. Timestamps should be defined with at least micorsecond resolution ("struct timeval" or similar).
The text was updated successfully, but these errors were encountered: