[Bro-Dev] #558: /topic/gilbert/ascii-header

Gregor Maier gregor at icir.org
Mon Aug 15 09:10:51 PDT 2011


>   - Good idea to record the field separator as well. But  for non-printable
>   characters (like the default tab) it looks a bit odd, and the enclosing
>   `'...'` are  somewhat  tricky to parse as well. How about ``# separator
>   \t``, with whitespace separating the two and the separator itself having
>   non-printable characters escaped.  Note though that (1)  I'm not sure
>   whether it should be ``\t`` or for consistency ``\x09``, and (2) whether
>   either of these can be easily converted back into the binary form in awk.

I don't like using whitespace here. If the remainder of the file uses 
tabs, that's a mix of two whitespace characters :-(. How about using a 
colon?
separator:\x09

With my darwin awk the following works:
    awk 'BEGIN { FS="\x09" }

>   Other ideas?
>   - What's the use case for including the path?

Maybe "path" is misleading. Could try with "log" or "file" instead.

>   - I'm wondering whether we should make it easy to tell what kind of meta-
>   line it is. How about this format:
>   {{{
>      #fields    ts        uid         id.orig_h    id.orig_p    ...
>      #types    time    string     addr           port           ...
>      #separator \t
>      #path    conn
>   }}}

ACK.




cu
Gregor
-- 
Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
http://www.icir.org/gregor/


More information about the bro-dev mailing list