Software Assurance Secure Systems Organizational Security Coordinating Response Training
Child pages
  • Changing Timestamps within a Flow File
Skip to end of metadata
Go to start of metadata

On occasion you may find that you need to adjust all the timestamps for a SiLK flow file. In this case, the flow file came from a .pcap file that was collected in a different time zone and had to be shifted a number of hours. Another possibility is if you need to adjust files after you determine the clock time was off.

It's relatively simple to change the timestamps using pysilk. The sample code for changing data to another time zone is shown below; a minor change would shift the data by seconds instead of hours.

#! /usr/bin/python2.4

from silk import *
import sys                              # for command line args
from datetime import timedelta          # for date math

def main():
    if len(sys.argv) != 4:
        print ("Usage:  %s infile offset-hours outfile" % sys.argv[0])

    #  open the SiLK file for reading
    infile = SilkFile (sys.argv[1], READ)

    #  create the time offset object
    offset = timedelta (hours=int(sys.argv[2]))

    # open the modified output file
    outfile = SilkFile (sys.argv[3], WRITE)

    #  loop over the records in the file, shift time and write the update:
    for rec in infile:
        rec.stime = rec.stime + offset
        outfile.write (rec)

    # clean up

if __name__ == '__main__':
  • No labels