From c99f825e22b87da4cd9fc2cc38d62dd12cd3b82a Mon Sep 17 00:00:00 2001
From: Jan Grashoefer <jan.grashoefer@gmail.com>
Date: Wed, 29 Apr 2020 13:18:49 +0200
Subject: [PATCH 1/4] Add test for network_time behavior.

---
 testing/btest/core/network-time.zeek | 38 ++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 testing/btest/core/network-time.zeek

diff --git a/testing/btest/core/network-time.zeek b/testing/btest/core/network-time.zeek
new file mode 100644
index 0000000000..1774173d12
--- /dev/null
+++ b/testing/btest/core/network-time.zeek
@@ -0,0 +1,38 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/wikipedia.trace %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+redef exit_only_after_terminate = T;
+
+event scheduled_delayed_event()
+	{
+	print fmt("scheduled_delayed_event: %T", network_time());
+	}
+
+event scheduled_event()
+	{
+	print fmt("scheduled_event:         %T", network_time());
+	schedule 1sec { scheduled_delayed_event() };
+	}
+
+event zeek_init()
+	{
+	print fmt("zeek_init:               %T", network_time());
+	schedule 0sec { scheduled_event() };
+	}
+
+event network_time_init()
+	{
+	print fmt("network_time_init:       %T", network_time());
+	}
+
+global pkt_count: count = 0;
+
+event new_packet(c: connection, p: pkt_hdr) &priority=10
+	{
+	pkt_count += 1;
+	if ( pkt_count % 25 == 0 )
+		print fmt("Processing packet  %s at %T", pkt_count, network_time());
+
+	if ( pkt_count == 100)
+		terminate();
+	}

From 97d1acf86f38f72a5ce8cc3126998935d56f033b Mon Sep 17 00:00:00 2001
From: Jan Grashoefer <jan.grashoefer@gmail.com>
Date: Wed, 29 Apr 2020 13:19:57 +0200
Subject: [PATCH 2/4] Add network_time_init() event.

---
 src/Net.cc    |  4 ++++
 src/event.bif | 10 +++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/Net.cc b/src/Net.cc
index 1334aacd44..31ff2fa994 100644
--- a/src/Net.cc
+++ b/src/Net.cc
@@ -223,7 +223,11 @@ void expire_timers(iosource::PktSrc* src_ps)
 void net_packet_dispatch(double t, const Packet* pkt, iosource::PktSrc* src_ps)
 	{
 	if ( ! bro_start_network_time )
+		{
 		bro_start_network_time = t;
+		if ( network_time_init )
+			mgr.Enqueue(network_time_init, zeek::Args{});
+		}
 
 	// network_time never goes back.
 	net_update_time(timer_mgr->Time() < t ? t : timer_mgr->Time());
diff --git a/src/event.bif b/src/event.bif
index 8927aefa2c..57afa2be6b 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -35,7 +35,7 @@
 ## one-time initialization code at startup. At the time a handler runs, Zeek will
 ## have executed any global initializations and statements.
 ##
-## .. zeek:see:: zeek_done
+## .. zeek:see:: zeek_done, network_time_init
 ##
 ## .. note::
 ##
@@ -61,6 +61,14 @@ event zeek_init%(%);
 ##    is not generated.
 event zeek_done%(%);
 
+## Generated when network time is initialized. The event engine generates this
+## event after the network time has been determined but before processing of
+## packets is started.
+##
+## .. zeek:see:: zeek_init, network_time
+##
+event network_time_init%(%);
+
 ## Generated for every new connection. This event is raised with the first
 ## packet of a previously unknown connection. Zeek uses a flow-based definition
 ## of "connection" here that includes not only TCP sessions but also UDP and

From bcf2357632645a0e2cccd2ded6a64ecf7ef226b0 Mon Sep 17 00:00:00 2001
From: Jan Grashoefer <jan.grashoefer@gmail.com>
Date: Wed, 29 Apr 2020 13:53:30 +0200
Subject: [PATCH 3/4] Improve network_time_init() test and add baseline.

---
 .../btest/Baseline/core.network-time/output   |  8 ++++++++
 testing/btest/core/network-time.zeek          | 19 +++++++++++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/core.network-time/output

diff --git a/testing/btest/Baseline/core.network-time/output b/testing/btest/Baseline/core.network-time/output
new file mode 100644
index 0000000000..32356cd5fb
--- /dev/null
+++ b/testing/btest/Baseline/core.network-time/output
@@ -0,0 +1,8 @@
+zeek_init:               1970-01-01-00:00:00.000000000
+scheduled_event:         1970-01-01-00:00:00.000000000
+network_time_init:       2011-03-18-19:06:07.096534967
+Processing packet  25 at 2011-03-18-19:06:08.858649015
+Processing packet  50 at 2011-03-18-19:06:08.915958881
+Processing packet  75 at 2011-03-18-19:06:08.976326942
+Processing packet  100 at 2011-03-18-19:06:09.073806047
+scheduled_delayed_event: 2011-03-18-19:06:09.073806047
diff --git a/testing/btest/core/network-time.zeek b/testing/btest/core/network-time.zeek
index 1774173d12..079d170fd6 100644
--- a/testing/btest/core/network-time.zeek
+++ b/testing/btest/core/network-time.zeek
@@ -3,25 +3,40 @@
 
 redef exit_only_after_terminate = T;
 
+global sde_init: bool = F;
+
 event scheduled_delayed_event()
 	{
-	print fmt("scheduled_delayed_event: %T", network_time());
+	if ( !sde_init )
+		{
+		# When network_time is set we (usually) leap forward and the event
+		# fires with the first packet. Thus, we reschedule.
+		sde_init = T;
+		schedule 2sec { scheduled_delayed_event() };
+		}
+	else
+		{
+		print fmt("scheduled_delayed_event: %T", network_time());
+		}
 	}
 
 event scheduled_event()
 	{
+	# This event is immediately executed
 	print fmt("scheduled_event:         %T", network_time());
-	schedule 1sec { scheduled_delayed_event() };
 	}
 
 event zeek_init()
 	{
+	# Reading a PCAP network_time is not initialized yet
 	print fmt("zeek_init:               %T", network_time());
 	schedule 0sec { scheduled_event() };
+	schedule 2sec { scheduled_delayed_event() };
 	}
 
 event network_time_init()
 	{
+	# This event is executed when network_time is initialized
 	print fmt("network_time_init:       %T", network_time());
 	}
 

From 0c47b6098bf4469be57d40cbd532f544727f3797 Mon Sep 17 00:00:00 2001
From: Jan Grashoefer <jan.grashoefer@gmail.com>
Date: Sat, 2 May 2020 18:29:19 +0200
Subject: [PATCH 4/4] Fix documentation for network_time_init.

---
 src/event.bif | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/event.bif b/src/event.bif
index 57afa2be6b..e894d2f5e3 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -35,7 +35,7 @@
 ## one-time initialization code at startup. At the time a handler runs, Zeek will
 ## have executed any global initializations and statements.
 ##
-## .. zeek:see:: zeek_done, network_time_init
+## .. zeek:see:: zeek_done network_time_init
 ##
 ## .. note::
 ##
@@ -65,7 +65,7 @@ event zeek_done%(%);
 ## event after the network time has been determined but before processing of
 ## packets is started.
 ##
-## .. zeek:see:: zeek_init, network_time
+## .. zeek:see:: zeek_init network_time
 ##
 event network_time_init%(%);