[Bro] pybroker with 'optional' fields

Jeff Barber jbarber at computer.org
Mon May 18 11:50:00 PDT 2015

Yeah. Using valid() works but it makes the code clumsy and unpythonic.
Below is my code. Uncomment the second "sub_recs = ..." line in ppkt() (in
place of the first one) to see the issue.

With this .bro loaded:

const broker_port: port = 9999/tcp &redef;
redef BrokerComm::endpoint_name = "events";
export {
        global jb_packet: event(p: pkt_hdr);
event bro_init()
        BrokerComm::listen(broker_port, "");
        BrokerComm::auto_event("bro/event/jb_packet", jb_packet);
event new_packet(c:connection, p: pkt_hdr) { event jb_packet(p); }

I have this script:
#!/usr/bin/env python
from select import select
import pybroker

def get_fields(fields, n_fields):
    new_fields = []
    for n in range(n_fields):
        f = fields[n]
        if f.valid():
    return new_fields

def ppkt(p):
    rec = p.as_record()
    sub_recs = get_fields(rec.fields(), rec.size())
    #===>>> sub_recs = [f.get() for f in fields]
    print sub_recs

def pmsg(msg_type, obj):
    msg_type = msg_type.as_string()
    pobj = {
        "jb_packet": ppkt,
    # print "%s: " % msg_type,

def main():
    epc = pybroker.endpoint("connector")
    epc.peer("", 9999, 1)
    ocsq = epc.outgoing_connection_status()
    select([ocsq.fd()], [], [])
    conns = ocsq.want_pop()
    for m in conns:
        print("outgoing connection", m.peer_name, m.status)

    mql = pybroker.message_queue("bro/event", epc)

    while True:
        select([mql.fd()], [], [])
        msgs = mql.want_pop()
        for m in msgs:


On Mon, May 18, 2015 at 1:56 PM, Siwek, Jon <jsiwek at illinois.edu> wrote:

> > On May 18, 2015, at 9:27 AM, Jeff Barber <jbarber at computer.org> wrote:
> >
> > I've been playing with sending event data to a peer using the broker
> interface. I'm able to send records over just fine and my python script can
> receive and interpret them using the swig-generated wrapper as long as all
> the fields are present.
> >
> > If I try to send one with optional fields such as pkt_hdr where not all
> of the fields are present (as is always the case with pkt_hdr), I get
> various segmentation violations either direct in the swig-generated code or
> assertion failures in the 'optional' class.
> >
> > Seems like there should be a more intelligent iterator for the record
> fields in the swig source. I was thinking it would make sense to return a
> None value in the slot where a non-present optional value goes and then you
> could just test for that, but I don't know enough about swig to create the
> iterator. I've tried several combinations of %extend, %pythoncode and so
> forth, but can't figure out the right magic words.
> >
> > Anybody know the right way to do this?
> There’s a brief example of sending/receiving a record with an empty field
> in tests/test_messages.py.  You can call the valid() method on a field to
> test if there’s data there that you’re allowed to access.  If that doesn’t
> help clarify the issue, can you post some example code?
> - Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150518/cf817763/attachment.html 

More information about the Bro mailing list