[Bro] Accessing index of an uint8 array inside record
Jon Siwek
jsiwek at corelight.com
Sun Nov 18 09:28:45 PST 2018
On Sun, Nov 18, 2018 at 10:45 AM TQ <nothinrandom at gmail.com> wrote:
> I ended up using bytestring &length=4, and this allows me to access using ${Record_A.record_b.data[0]}. Bizarre as these two are equivalent, right?
Logically, "bytestring &length=4" and uint8[4] are equivalent but seem
to be implemented differently.
A bytestring field ends up being a "datastring<uint8>"
object/reference from binpac_bytestring.h
A uint8[4] ends up being a pointer to a "std::vector<uint8>".
So that last bit about it being a pointer is likely important, means
you were probably missing a pointer dereference e.g. you could try
${Record_A.record_b.data}->at(0) for accessing a uint8[] at index 0.
All this info should be available for you to find in the generated
*_pac.cc files and checking those is the best way to confirm what you
need to be doing.
- Jon
More information about the Bro
mailing list