Hi,
in my Bro logs, I have some connections that lasts 6 hours and more.
Those conns use different services:
Hello Simone,
Are you sure that these connections did not just last several hours?
If you are sure - the only possible way that I can think of for these
values getting messed up is libpcap (and thus probably the kernel)
delivering wrong timestamps for packets. Bro just determines the duration
by sybstracting the timestamp of the first packet that it saw from the
timestamp of the last packet that it saw. Additionally, Bro will expire
connections where it has not seen any packets, generally after a few
minutes.
I have seen wrong timestamps being delivered for a couple of packets
before, but in those cases they were off by years, not just by hours, so I
consider that unlikely.
Johanna