[Zeek] printing stream columns

Henri Dubois-Ferriere henridf at gmail.com
Mon Nov 11 11:37:30 PST 2019


Now that this patch is merged (thanks again) I've upgraded my Zeek script
and the record_fields changes work great.

I still have one outstanding issue which is that for a container type,
record_field$type_name is just the container name (such as "vector" or
"set"). I don't see a way to get the type of the container elements from
zeek script, but once again would be delighted to be corrected.

And if there's currently no way, I'm happy to put up a PR, but I could use
some guidance on how to expose this in Zeek (e.g. a new field on
record_field?).

Thanks,
Henri

On Fri, 1 Nov 2019 at 20:53, Jon Siwek <jsiwek at corelight.com> wrote:

> On Fri, Nov 1, 2019 at 4:11 AM Henri Dubois-Ferriere <henridf at gmail.com>
> wrote:
>
> > I'd like to be able to peek into nested records to get the inner fields
> that will show up in the logs. It doesn't seem like there's a way to do
> record introspection given a string representation of the record type name,
> but if I'd be delighted to be told I'm missing something.
>
> No, didn't look like there was a way to do that, but I've made a
> PR/patch that should make recursive introspection possible via
> something like `record_fields("conn_id")` for any arbitrary record
> type name:
>
> https://github.com/zeek/zeek/pull/675
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191111/f302ab73/attachment.html 


More information about the Zeek mailing list