[Bro] Accessing bro variables in c

[Mike Muratet]

Christian

>
> Mhmm does it work when you do this instead:
>
>  BroString *result;
>  bro_record_get_named_val(conn, "service", BRO_TYPE_STRING, &result);
>

Well, maybe. It's printing '??'. '?' is a valid string for this field if I 
remember the bro manual correctly. I don't see anything in the logs that has 
protocol information so maybe '?' is what bro thinks. I have seen 'ssh' in 
bro output when reading tcpdump files, but the '?' could be an artifact 
here.

Prior to this my entire bro experience was reading tcpdump files and it 
seems like the interesting info came out on stdout. Maybe I should have 
redirected stdout when I started bro from the command line? I opted not to 
send emails when I configured bro, and there's nothing in the reports 
subdirectory. If I can figure out where the reports are going I'll check to 
see what bro is writing to the logs. Maybe '?' is the right answer (at least 
as far as the interface is concerned).

> http://www.cl.cam.ac.uk/~cpk25/broccoli/manual/broccoli-broccoli.html#BRO-RECORD-GET-NAMED-VAL
>
> Also note that strings are actually instances of BroString, so in order
> to get to the resulting string you want to use
>
>  printf("%s event received\n", result->str_val);
>

I don't see this field in the on-line manual. Is BroString defined somewhere 
else?

> I really need to add bro_string_get_data() and bro_string_get_length().
>
>> My experiments with the bro type 'time' variable start_time are equally
>> unsuccessful. Is the type equivalent to the c double, or is it a 
>> timestamp
>> structure? (I didn't find it in the bro manual.)
>
> Try similarly to the above code snippet -- pass the address of the
> pointer so Broccoli can adjust it to point to the result.
>
>> Am I going about this all wrong?
>
> I'd say you're very close! The record handling stuff is some of the
> newest code in Broccoli and could probably be better documented ... Well
> done! :)
>

Thanks. I'll be glad to get this working.

Cheers

Mike