- ts: I'd prefer to keep this the timestamp of the first packet,
that's more well defined.
- Did we decide whether we want to add the raw byte volume via
Gregor's patch? I'd say so. I'll see that that gets merged in.
- I'd say let's include history by default, but not addl.
- "logging" isn't used.
- Rename "connection$log" to "connection$conn" for consistency?
Robin
- ts: I'd prefer to keep this the timestamp of the first packet,
that's more well defined.
Isn't that what c$start_time is?
- Did we decide whether we want to add the raw byte volume via
Gregor's patch? I'd say so. I'll see that that gets merged in.
This isn't merged yet then? If not, I'll add it once it's merged.
- I'd say let's include history by default, but not addl.
Done.
- "logging" isn't used.
Removed. I think I want to handle that more generically since the splitting and filtering is the same for all log files now.
- Rename "connection$log" to "connection$conn" for consistency?
Agreed and done.
This script was much faster to update than the dns script. 
.Seth
> - ts: I'd prefer to keep this the timestamp of the first packet,
> that's more well defined.Isn't that what c$start_time is?
Sorry, I wasn't clear: I prefer to have c$start_time *logged*.
This isn't merged yet then? If not, I'll add it once it's merged.
Correct, working on it.
Thanks!
Robin
It is. Do you want the field named "start_time"? I was just trying to keep consistency among those first several fields for all of the logs with the assumption that in each case the $ts field is the earliest evident activity for whatever the logged data is (initial request for http, first packet for conn, etc).
.Seth
Ok, I see that now, but then the comment is wrong, isn't it?
## This is the time at which the connection was "fully established";
ts: time &log;
Robin
Oops. Fixed.
.Seth