[Bro] &expire_func/&create_expire question

Fri Nov 17 13:18:09 PST 2006

Hiya,

Below is a script that I would think should cause the &expire_func to 
execute, but doesn't. (I would expect the expire function to execute 
assuming you run the script on a trace that has packets with arrival 
times separated by more than EXPIRE time, which is set to 1 second 
below).

------------
type test_key : string;
#type test_key : time;

global pkts : count = 0;

function expF (tbl: table[test_key] of count, idx : test_key): interval 
{
     pkts = pkts - tbl[idx];
     return 0 sec;
}

const EXPIRE : interval = 1 sec;
global pkts_map: table[test_key] of count &default=0
                             &create_expire=EXPIRE &expire_func=expF;

event new_packet(c: connection, p: pkt_hdr)
{
     local k : string = fmt( "%s", network_time() );
     #local k : time = network_time();
     print fmt( "k=%s", k );

     ++pkts;
     if ( k in pkts_map ) {
         pkts_map[k] = pkts_map[k] + 1;
     } else {
         pkts_map[k] = 1;
     }

     print fmt ("pkts = %d, pkt map: %d", pkts, pkts_map[k] );
}

-------

Also, if you un-comment the test_key line at the top to use the 'time' 
type as a key in the table (and the corresponding key computation in 
the new_packet event), you get the following error:

1163788759.811588 <no location> (1163788759.81159): bad tag in 
Val::CONST_ACCESSOR (time/double)

I tested this on Linux, if that's any use.

Any help would be appreciated.

- Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 1473 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061117/50b65750/attachment.bin 