Is this field meant to capture when the determination was made that a given
service is running somewhere? For a slice-trace I'm analyzing, I see it's
on the ACK by the client of the first line sent back by the server. Not
quite what I would expect, but also not necessarily any sort of issue.
Vern
The semantics of that field are a little fuzzy. If a protocol was detected, the field contains the time that the analyzer generated the ProtocolConfirmation. If no protocol was detected, a scheduled event is set for several minutes (I think 5 by default) so that Bro can wait and see if a better connection where a protocol is detected comes along before it goes to log the service. Hm, I guess the semantics are pretty clear, the ts field always contains the time when the log record was written. Determining why that happened when it did is a bit fuzzy.
.Seth