[Bro] pybroker with 'optional' fields
Jeff Barber
jbarber at computer.org
Mon May 18 11:50:00 PDT 2015
Yeah. Using valid() works but it makes the code clumsy and unpythonic.
Below is my code. Uncomment the second "sub_recs = ..." line in ppkt() (in
place of the first one) to see the issue.
With this .bro loaded:
const broker_port: port = 9999/tcp &redef;
redef BrokerComm::endpoint_name = "events";
export {
global jb_packet: event(p: pkt_hdr);
}
event bro_init()
{
BrokerComm::enable();
BrokerComm::listen(broker_port, "127.0.0.1");
BrokerComm::auto_event("bro/event/jb_packet", jb_packet);
}
event new_packet(c:connection, p: pkt_hdr) { event jb_packet(p); }
I have this script:
#!/usr/bin/env python
from select import select
import pybroker
def get_fields(fields, n_fields):
new_fields = []
for n in range(n_fields):
f = fields[n]
if f.valid():
new_fields.append(f.get())
else:
new_fields.append(None)
return new_fields
def ppkt(p):
rec = p.as_record()
sub_recs = get_fields(rec.fields(), rec.size())
#===>>> sub_recs = [f.get() for f in fields]
print sub_recs
def pmsg(msg_type, obj):
msg_type = msg_type.as_string()
pobj = {
"jb_packet": ppkt,
}[msg_type]
# print "%s: " % msg_type,
pobj(obj)
def main():
epc = pybroker.endpoint("connector")
epc.peer("127.0.0.1", 9999, 1)
ocsq = epc.outgoing_connection_status()
select([ocsq.fd()], [], [])
conns = ocsq.want_pop()
for m in conns:
print("outgoing connection", m.peer_name, m.status)
mql = pybroker.message_queue("bro/event", epc)
while True:
select([mql.fd()], [], [])
msgs = mql.want_pop()
for m in msgs:
pmsg(*m)
main()
On Mon, May 18, 2015 at 1:56 PM, Siwek, Jon <jsiwek at illinois.edu> wrote:
>
> > On May 18, 2015, at 9:27 AM, Jeff Barber <jbarber at computer.org> wrote:
> >
> > I've been playing with sending event data to a peer using the broker
> interface. I'm able to send records over just fine and my python script can
> receive and interpret them using the swig-generated wrapper as long as all
> the fields are present.
> >
> > If I try to send one with optional fields such as pkt_hdr where not all
> of the fields are present (as is always the case with pkt_hdr), I get
> various segmentation violations either direct in the swig-generated code or
> assertion failures in the 'optional' class.
> >
> > Seems like there should be a more intelligent iterator for the record
> fields in the swig source. I was thinking it would make sense to return a
> None value in the slot where a non-present optional value goes and then you
> could just test for that, but I don't know enough about swig to create the
> iterator. I've tried several combinations of %extend, %pythoncode and so
> forth, but can't figure out the right magic words.
> >
> > Anybody know the right way to do this?
>
> There’s a brief example of sending/receiving a record with an empty field
> in tests/test_messages.py. You can call the valid() method on a field to
> test if there’s data there that you’re allowed to access. If that doesn’t
> help clarify the issue, can you post some example code?
>
> - Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150518/cf817763/attachment.html
More information about the Bro
mailing list