Justin

oh, and backwards that is C_INTERN, which looks to be from part of "qclass_name":"C_INTERNET",

I bet the file has a hole in it of null bytes, since zeek said: ``` "seen_bytes": 30003, "missing_bytes": 179998, ``` the seen+missing adds up to the 210001.

> So missing_bytes currently describes just the observed gaps, but not everything missing that would be needed to fill to total_bytes. ah, based on the filename 100MB.bin, total_bytes is the...

This sort of can fix things ``` event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) &priority=-10 { if ( |c$http_state$pending| < 10) return; local now = network_time();...

oh, wow, yeah.. create_expire with an expire_func would be a lot easier! duh! the expire func could even check the size of the table and not bother expiring just yet......

Improved pcap: has the tcp handshake, which makes zeek happier and is slowed down so you can use it with --pseudo-realtime=1 [http_many_one_connection_with_handshake_slow.zip](https://github.com/zeek/zeek/files/6903412/http_many_one_connection_with_handshake_slow.zip) Initial tests does show that this should be...

Oh, yes, I forgot about this. No rush. I wanted to look into that comment: ``` + #If there is a status code, don't expire it. + #Can I just...

> No, I use myricom support provided by zeek itself, and I don't use the plugin anymore. You should try using the native myricom plugin again. My experience a number...

Another idea is to replace ``` YYYY => (?P\\d\\d\\d\\d) MM => (?P\\d\\d) DD => (?P\\d\\d) HH => (?P\\d\\d) MM => (?P\\d\\d) ``` which would simplify some of the regexes to...

yeah.. I think that should be doable. The databases index ip address to filename, and the `filename_to_time_regex` option lets it turn a filename back into a time. I think I...