[Bro-Dev] #558: /topic/gilbert/ascii-header
Bro Tracker
bro at tracker.bro-ids.org
Sun Aug 14 20:31:56 PDT 2011
#558: /topic/gilbert/ascii-header
----------------------------+----------------------
Reporter: gclark | Owner: robin
Type: Merge Request | Status: assigned
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version:
Resolution: | Keywords: logging
----------------------------+----------------------
Changes (by robin):
* owner: => robin
* status: new => assigned
Comment:
Thanks! Questions/comments:
- I'd prefer the line with the types to have just those, i.e., `time`
instread of `ts=time`. That makes it easier to parse in like awk, and the
relationship to the field name is already there via the column.
- Good idea to record the field separator as well. But for non-printable
characters (like the default tab) it looks a bit odd, and the enclosing
`'...'` are somewhat tricky to parse as well. How about ``# separator
\t``, with whitespace separating the two and the separator itself having
non-printable characters escaped. Note though that (1) I'm not sure
whether it should be ``\t`` or for consistency ``\x09``, and (2) whether
either of these can be easily converted back into the binary form in awk.
Other ideas?
- What's the use case for including the path?
- I'm wondering whether we should make it easy to tell what kind of meta-
line it is. How about this format:
{{{
#fields ts uid id.orig_h id.orig_p ...
#types time string addr port ...
#separator \t
#path conn
}}}
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/558#comment:1>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list