I have been waiting for ticket #4 (http://tracker.bro-ids.org/time-machine/ticket/4)
Do you have any plan to fix it?
Cheers,
Alex
We would love for that ticket to be fixed. It's one of the main blockers for people to run time-machine. We don't have anyone working on time-machine at the moment unfortunately. I am trying to get a developer to start fixing bugs on the tracker but I'm not sure if it's going forward.
If you are able or know someone who is willing and able to do heavy lifting on time-machine, let me know. I'd be interested in talking more.
Thanks,
.Seth
While persistence of indices is a very much desired feature (for me
too), its not a show stopper for using the tm in the production
environment.
Previously TM re-starts overwrote the files due to reuse of the output
file-name. That is fixed by adding Unix time-stamp to the file names,
thus stopping accidental overwrites.
As of indexes being used for searches: I have used tcpslice to zero-in on the
possible time-periods of the desired connection and then use tcpdump to
extract data from those specific pcaps. tcpdump with GNU parallel works
fantastic for this task.
Hope this helps,
Aashish