[Bro] bro-cut -c vs -C
Azoff, Justin S
jazoff at illinois.edu
Sat Sep 24 20:38:17 PDT 2016
> On Sep 24, 2016, at 10:38 AM, Daniel Thayer <dnthayer at illinois.edu> wrote:
>
> On 9/24/16 7:49 AM, Harry Hoffman wrote:
>> Hi Folks,
>>
>> I can't tell if I'm reading the man page for bro-cut incorrectly or if
>> there's a bug.
>>
>> bro-cut -c and bro-cut -C seems to output the same headers. The man page states:
>>
>> -c Include the first format header block into the output.
>> -C Include all format header blocks into the output.
>>
>> Can someone tell me what the difference should be?
>>
>> Cheers,
>> Harry
>
>
> The -C option is useful when bro-cut is reading more than one log file,
> because it allows you to see the boundaries between each log file.
>
> For example:
> gunzip -c conn.*.log.gz | bro-cut -C
-C is also needed if the columns are expected to change at any point.. i.e.
cat conn.log dns.log |bro-cut -C uid id.orig_h query
or, something like dumping log archives for a time period that includes a bro version upgrade that added/removed fields.
Now that I really think about it, it would make the most sense for -C to only output a header block if there was a change from the previous one... and possibly -c should just do that too. Only outputting the first header block is possibly the wrong thing to do if the header block for the selected fields ever changes.
--
- Justin Azoff
More information about the Bro
mailing list