Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
277
Views
0
Helpful
2
Replies

Parsing XML for milliseconds

iterrell
Level 1
Level 1

‎10-14-2003 01:14 PM - edited ‎03-09-2019 05:09 AM

I've noticed that most perl scripts that parse the XML-formatted IDS alarm data handle time in the following way.

1. Find something that looks like this:

<time offset="0" timeZone="GMT">1065704702260811000</time>

2. Extract the first 9 digits.

3. Feed it to perl's localtime() or gmtime() functions.

My guess is that the rest of that big number represents smaller time units. So how does one recover milliseconds or microseconds? Just use the next three or six digits?

Please let me know if I'm on the right track... Thanks!

Labels:
0 Helpful
2 Replies 2

brhamon
Level 1
Level 1

‎10-14-2003 02:49 PM

You're on the right track.

The time format in IDS events is the number of nanoseconds since the start of the Unix epoch (01-Jan-1970).

Suppose t is a 64-bit integer containing the time value. The traditional Unix time functions take an integer of type "time_t" that is the number of seconds since the start of the Unix epoch. You can get this value as follows:

time_t tm = (time_t) ( t / 1000000000 );

To get milliseconds, do this:

int ms = (int) ( t / 1000000 % 1000 );

So for the example you provided, 1065704702260811000, tm is 1065704702 and ms is 260.

0 Helpful

marcabal
Cisco Employee
Cisco Employee

‎10-14-2003 02:55 PM

You are on the right track.

The number you see is technically in nanoseconds.

As a side note for those who are curious: notice that the last 3 digits are almost always 0. You will see that although the field is in nanoseconds the sensor can not distinguish down to that small of time differences.

The number you see is the nanoseconds since January 1st 1970 (don't ask me why). It is a pretty common unix format to represent time as the seconds since January 1st 1970, and we just stretched it out to nanoseconds.

Most time conversion utilities like perl's functions understand this and are built to accept the seconds since 1970, but aren't built to accept all the way down to nanoseconds. This why most scripts are simply stripping off the extra numbers.

To find out more about this time format you can search the web for "unix time".

0 Helpful
Customers Also Viewed These Support Documents