I believe what you're seeing is a result of how those timestamps are defined.
In conn.log[1]: "This is the time of the first packet."
In http.log[2]: "Timestamp for when the request happened."
The conn record doesn't get written until the connection closes (or times out). It happens during the connection_state_remove[3] event. By handling it at connection close, you get duration, byte/packet counts, etc.
Also, the times for when the first packet was seen, and when the actual HTTP request was seen can be slightly off.
there is a 'uid' field in conn.log that is a unique flow identifier. Can
we use uid to identify the same flow in conn.log and http.log/ssl.log?
Timestamp is not suitable for flow identification.
there is a 'uid' field in conn.log that is a unique flow identifier. Can
we use uid to identify the same flow in conn.log and http.log/ssl.log?
Timestamp is not suitable for flow identification.
The important info we want to know is that---there are more than
50,000,000 flows in the trace files. SO we are not sure whether uid filed
is really UNIQUE.