conn.log timestamps order of appearance

Zeek
1

Good Day

I have noticed while viewing the conn.log file, that some of the timestamp fields in the entries are not in chronological order. For example, viewing a section of this file I see:

2022-02-08T21:14:03+0200
2022-02-08T21:14:04+0200
2022-02-08T21:13:14+0200

2022-02-08T21:12:49+0200

2022-02-08T21:14:05+0200

Is this normal?

2

Yes, I think so – I see similar behavior:

$ zcat conn_20220228_14:00:00-15:00:00+0000.log.gz | head | jq -c ‘[."_write_ts", .“ts”]’
[“2022-02-28T14:00:00.918036Z”,“2022-02-28T13:59:50.851735Z”]
[“2022-02-28T14:00:00.918036Z”,“2022-02-28T13:59:50.882787Z”]
[“2022-02-28T14:00:01.136879Z”,“2022-02-28T13:59:50.227671Z”]
[“2022-02-28T14:00:05.285740Z”,“2022-02-28T13:59:55.285679Z”]
[“2022-02-28T14:00:05.385740Z”,“2022-02-28T13:59:55.299620Z”]
[“2022-02-28T14:00:05.410113Z”,“2022-02-28T14:00:00.262610Z”]
[“2022-02-28T14:00:05.912741Z”,“2022-02-28T13:59:55.912644Z”]
[“2022-02-28T14:00:06.692171Z”,“2022-02-28T13:59:50.861636Z”]
[“2022-02-28T14:00:07.129325Z”,“2022-02-28T13:59:57.096288Z”]
[“2022-02-28T14:00:07.467482Z”,“2022-02-28T14:00:01.992636Z”]

Sincerely,

Richard

3

Hi Tewodros,

yes, this is indeed normal. The timestamp that is, e.g., given in conn.log is the timestamp at which the connection was created (timestamp of first packet). However, the log line is written after the connection terminates. Thus, it is expected, and completely normal, that the the timestamps will not be ordered chronologically.

I hope this helps,
  Johanna

4

I have noticed while viewing the conn.log file, that some of the timestamp
fields in the entries are not in chronological order.

This is routine. It happens because generating the log entry occurs upon completion of the connection (or in some cases a timeout), but the timestamp at the beginning is when the connection started, not when it was logged. Because connections have varying lengths, this leads to out-of-order start timestamps.

— Vern

5

Can we change that to create a log using connection completion time ?

Anyone tried that before ? curious to know if that can be doable

6

Can we change that to create a log using connection completion time ?

Even if you did that (which doesn’t seem as useful as knowing the start time), logs would still likely be out-of-order, since some of the entries are driven off of network activity (i.e., right at the end of the connection) and others off of timeouts (in which case the actual end was in the past).

If you need the logs to be in order, the usual approach is simply to sort them on timestamp.

— Vern