Hello PRADS developers!

I'm running prads as follows:
prads -i eth1 -c prads.conf -u sguil -g sguil -L /nsm/sensor_data/dir/sancp/ -f /nsm/sensor_data/dir/pads.fifo

When I look at pads events in Sguil, they have the wrong timestamp.

For example, I have a pads event for a new web client with a timestamp of 2012-10-18 23:51:26. If I try to pivot from that event to full pcap, no matching tcp stream is found. If I search for HTTP events for the destination IP I find that the actual HTTP transaction occurred on 2012-10-19 23:01:41. I can pivot to pcap on this HTTP event and confirm that this matches the User Agent that the prads_client event was for. I can also search the sancp table for the destination IP and find the same timestamp of 2012-10-19 23:01:41 (so the sancp output plugin is sending the correct timestamp, but the pads output plugin is not).

Looking at the pads events, they appear to come in batches with the same exact timestamp. So perhaps prads is flushing a buffer only periodically and/or somehow grabbing the timestamp of the first pads event in a series of events?

Any ideas?

Thanks!

this is possible & would be real easy to debug if you had a pcap to reproduce the issue

please verify ;-)

Sending off to build farm now. Will test later today or tomorrow and let you know. Thanks so much!

Looking good so far! Thanks!