[Zeek] printing stream columns
Jon Siwek
jsiwek at corelight.com
Mon Nov 11 13:17:05 PST 2019
On Mon, Nov 11, 2019 at 11:37 AM Henri Dubois-Ferriere
<henridf at gmail.com> wrote:
> I still have one outstanding issue which is that for a container type, record_field$type_name is just the container name (such as "vector" or "set"). I don't see a way to get the type of the container elements from zeek script, but once again would be delighted to be corrected.
>
> And if there's currently no way, I'm happy to put up a PR, but I could use some guidance on how to expose this in Zeek (e.g. a new field on record_field?).
Would be great if you want to try making a PR. The first way to do it
that comes to mind is just alter that "record_field$type_name" to
better describe containers in a format like "vector of XXX",
"set[XXX]" or "table[XXX] of YYY". This should be the relevant code
to modify:
https://github.com/zeek/zeek/blob/b86a8acc2b84089efbbe51216a4f4d1d57a4f430/src/Type.cc#L845-L850
- Jon
More information about the Zeek
mailing list