How to parse bro decimal timestamps?

Zeek
1

How do I turn the timestamp (ts) field in this example into a standard date format (java or unix dates for example?)

set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2016-04-04-09-00-04
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1459774793.429104 CZgDTe31Z6ynNuzgN7 fe80::c874:93f:5b4e:c1e1 64648 ff02::1:3 5355 udp dns 0.412428 44 0 S0 F F 0 D 2 140 0 0 (empty)
1459774793.429113 Ci77TT3Kp4dNmhAYc1 172.16.2.33 64648 224.0.0.252 5355 udp dns 0.412434 44 0 S0 F F 0 D 2 100 0 0 (empty)

Dr. Brad J. Cox Cell: 703-594-1883 Skype: dr.brad.cox

2

Depends on what you’re reading the logs with.

You could use bro-cut with the ‘-d’ flag, to do the conversion for you.

If you just need to do one-off date conversion:

Using GNU date (takes date as is):

$ date --date='@1459774793.429104
Mon Apr 4 12:59:53 UTC 2016

OSX (wants the date as an integer)

$ foobar=`echo 1459774793.429104 | cut -d. -f1`
$ date -r $foobar
Mon Apr 4 07:59:53 CDT 2016

If you’re snarfing the timestamps into your own code, then it depends on what language/libraries you’re using.

3

Need to parse dates in java; using this in a spark streaming analytics pipeline.

Dr. Brad J. Cox Cell: 703-594-1883 Skype: dr.brad.cox

4

Java code would be nice, but a ordinary description of how a decimal date relates to standard dates would do. I'm familiar with Java/Unix conventions where a long integer specifies seconds since the Unix epoch (Jan 1970). But I've tried converting the bro decimal to long and converting that to a date. That gives a date sometime in 1970 which clearly isn't right. And what do the fractional values mean? Milliseconds perhaps?

Dr. Brad J. Cox Cell: 703-594-1883 Skype: dr.brad.cox

5

The value is the number of seconds since the epoch, including a fractional portion. Your problem with Java dealing with it is likely that Java wants the number of *milliseconds* since the epoch, so you should multiply what Bro gives you by 1000 (and dropping the fractional part) before converting it with whatever Java code you’re working with.

Chris

6

Perfect. Thanks so much!

Dr. Brad J. Cox Cell: 703-594-1883 Skype: dr.brad.cox