Access pcap filename in script land

Hi all,

in case bro is executed offline on a pcap with:

bro -r file1.pcap script.bro

is there a directive I can insert into script.bro to access the pcap
filename?

many thanks in advance,
Valerio

Nope.

-AK

Hi Anthony,

Thanks for your answer.
Let me just generalize my requirement: Is it possible when I start bro
to pass external arguments to a bro script?

I think this feature would be useful in case you want to add some
external info (not strictly present in the pcap or flow that bro i
analyzing) into .log files produced by a bro script.

thanks,
Valerio

Yes, you can override script variables, like this:

    # cat args.bro

    const pcap_file = "" &redef;

    event bro_init()
        {
        print(pcap_file);
        }

    # bro ./args.bro 'pcap_file=\"Foo\"'
    "Foo"

Robin

Thanks a lot!!!

Valerio

Hi,

I am trying to adapt the suggested methodology to the following
scenario: I have a custom main.bro script in
scripts/base/protocols/proto1/main.bro to which I would like to pass
arguments from command line each and every time I run bro with the
following command

bro -r pcap_file_name.pcap

I set const arg1 =""&redef into main.bro but if I run

bro -r pcap_file_name.pcap 'arg1=\"test\"' I get the following error

error in <params>, line 1: unrecognized character - \
error in <params>, line 1: unrecognized character - "
error in <params>, line 1: unknown identifier test, at or near "test"

many thanks in advance,
Valerio

Try:

bro -r pcap_file_name.pcap -e 'arg1="test"'

    -e|--exec <bro code> | augment loaded policies by given code

  --Vlad

Valerio <valerio.click@gmx.com> writes:

Thanks!! now it works running following command:

bro -r pcap_file_name.pcap -e 'redef Prot1::arg1="test"'

AND

including 'const arg1=""&redef' within the export block of main.bro
where module Prot1 was defined.

best regards,
Valerio

bro -r pcap_file_name.pcap arg1=test

would have worked.

If I run bro -r pcap_file_name.pcap 'arg1="test"' I get the following error:

error in <params>, line 1: "redef" used but not previously defined (arg1)

regards,
Valerio

That's because you did not define arg1... Also, 'arg1="test"' does not work. arg1=test works. 'arg1=test' would work. "arg1=test" would work, 'arg1="test"' does not work.

$ cat t.bro
const arg1 ="x" &redef ;

event bro_init() {
    print arg1;
}
$ bro t.bro
x
$ bro t.bro arg1=test
test
$ bro t.bro 'arg1=test two'
test two

Hi,

thanks for your feedback. However I think I am missing something.
In fact, if I run:

bro -r pcap_file_name.pcap arg1=test

I get the following error

error in <params>, line 1: unknown identifier test, at or near "test"

Please notice that, as I described in my previous mail:

"I have a custom main.bro script in
scripts/base/protocols/proto1/main.bro to which I would like to pass
arguments from command line"

in the main.bro I defined arg1 as const arg1=""&redef within the
export{} block and having define module Prot1;

Even if I run

bro -r pcap_file_name.pcap Prot1::arg1=test

I get the following error
error in <params>, line 1: unknown identifier test, at or near "test"

the same with:
bro -r 28122015-whatsapp_iphone_traffic.pcap 'Wa::arg1=test'

best regards,
Valerio

The different methods do work:

$ cat t.bro
module Foo;
export {
    const arg1 ="x" &redef ;
}

event bro_init() {
    print arg1;
}
$ bro t.bro
x
$ bro t.bro Foo::arg1=test
test
$ bro t.bro 'Foo::arg1=test two'
test two
$ bro t.bro -e 'redef Foo::arg1="test three"'
test three

Are you actually loading your proto1 script anywhere? local scripts really belong under share/bro/site, not under the base/ directory.

You likely want to move your proto1 directory to share/bro/site and add

@load ./proto1

to share/bro/site/local.bro

Thanks!!

by moving the script from base to share/bro/site it works!!

best,
Valerio