[Bro-Dev] #558: /topic/gilbert/ascii-header
Bro Tracker
bro at tracker.bro-ids.org
Mon Aug 15 09:10:56 PDT 2011
#558: /topic/gilbert/ascii-header
----------------------------+----------------------
Reporter: gclark | Owner: robin
Type: Merge Request | Status: assigned
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version:
Resolution: | Keywords: logging
----------------------------+----------------------
Comment (by gregor):
> - Good idea to record the field separator as well. But for non-
printable
> characters (like the default tab) it looks a bit odd, and the enclosing
> `'...'` are somewhat tricky to parse as well. How about ``# separator
> \t``, with whitespace separating the two and the separator itself
having
> non-printable characters escaped. Note though that (1) I'm not sure
> whether it should be ``\t`` or for consistency ``\x09``, and (2)
whether
> either of these can be easily converted back into the binary form in
awk.
I don't like using whitespace here. If the remainder of the file uses
tabs, that's a mix of two whitespace characters :-(. How about using a
colon?
separator:\x09
With my darwin awk the following works:
awk 'BEGIN { FS="\x09" }
> Other ideas?
> - What's the use case for including the path?
Maybe "path" is misleading. Could try with "log" or "file" instead.
> - I'm wondering whether we should make it easy to tell what kind of
meta-
> line it is. How about this format:
> {{{
> #fields ts uid id.orig_h id.orig_p ...
> #types time string addr port ...
> #separator \t
> #path conn
> }}}
ACK.
cu
Gregor
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/558#comment:5>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list