Yes, but there's something that's still stumping me.
Looking at line 70 from https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-analyzer.pac
case 8:
if ( element->data()->etype()->data()->size() )
rv->Assign(11, proc_cipher_list(element->data()->etype()));
Following the breadcrumb trail in the if statement here...
element is type KRB_REQ_Arg (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-protocol.pac)
-> data is type KRB_REQ_Arg_Data (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-protocol.pac)
-> etype is type Array (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/asn1/asn1.pac)
-> data is type ASN1Encoding (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/asn1/asn1.pac)
-> size is type ?
Following this line of thought, I'm a little confused by what "size()" is supposed to mean here, since it's not an attribute. I can infer that it's simply returning the size of the record, but I don't have any information as to how or where that would be defined. I've also tried looking through the source of BinPAC (https://www.bro.org/sphinx/components/binpac/README.html) but have come up empty so far.
I have a sample of kerberos pcap that populates the msg$pa_data$encryption_type vector (from event krb_tgs_request), so I know that the aforementioned if statement is returning true - - but the other two vectors "host_addrs" and "additional"tickets" (that from documentation seem to imply they're parallel with the encryption_type vector) come up as <uninitialized>.
This made me question that maybe there was something wrong with the code that was causing it to miss the host_addr and ticket data, I clearly find this data in my pcap sample under padata. This is my current theory anyway, and wanted to see if I'm making a bad assumption somewhere or if someone can shed light on what's going on here.