Re: [Sguil-users] Sguil vs packet captures, not live traffic
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-users] Sguil vs packet captures, not live traffic
|
From: Richard B. <tao...@gm...> - 2013-01-17 22:27:56
|
And that's the problem. If you want to use Sguil as a "forensic" tool, or have students read a pcap and have the result look just like the data when it was collected live, Tcpreplay doesn't work because timestamps are set to the time of the replay. Sincerely, Richard On Thu, Jan 17, 2013 at 5:23 PM, Guy Bruneau <se...@wh...> wrote: > You are correct. The timestamps will be the timestamps of the replay time, > not the original time. > > Guy > > From: Richard Bejtlich <tao...@gm...> > To: sgu...@li... > Sent: Thursday, January 17, 2013 9:53:55 AM > > Subject: Re: [Sguil-users] Sguil vs packet captures, not live traffic > > My concern with tools like Tcpreplay is that you lose the original > timestamps. > > Sincerely, > > Richard |
