In Zeek (e.g. main.zeek), how can I use the variable from another script (e.g .sh file) with packet_source() or any function?

SFD · January 17, 2023, 3:03pm

My command in the .sh file is running.

The command is: ($ZEEK -C -r $i dir)

i: pcap (file) name to be processed

dir: directory to be extracted

When the command is running, there are the extract files in desired location. It works pretty well. But I need that filename in the main.zeek. The question was that how can i access the filename in the main.zeek (used in the .sh file).

As I learned from here, packet_source() function could be called in script. But I can not implement it because I just started using it and I’m trying to get used to the script of Zeek.

In my script (main.zeek), after loading script index which contains packet_source() as the built-in function (@load base/bif/zeek.bif.zeek), how can i define a variable and use it (e.g global filename: function packet_source():, is it valid)?

I would be glad if you help.

Benjamin_Bannier · January 17, 2023, 3:16pm

packet_source returns a PacketSource value. If its path value is set Zeek is reading from a PCAP file.

event zeek_init()
	{
	# Get the current PacketSource.
	local source = packet_source();

	# If the the `path` field of `PacketSource` is set we
	# are reading from an offline PCAP file. Print it.
	if ( source?$path )
		{
		print source$path;
		}
	}

SFD · January 18, 2023, 6:07am

I’m developing the code in the zeek/base/frameworks/files/main.zeek. In my script, adding loads are done because of the packet_source() and zeek_init().

@load base/bif/zeek.bif.zeek
@load base/bif/event.bif.zeek

Shortly after, I’m adding the event zeek_init()

event zeek_init()
{
local filename_source = packet_source();
}

Since all the modified variables in the some files are defined function set_info(f: fa_file), the check in there is done.

if(filename_source?$path)
{
f$info=cat(filename_source$path);
}

info is defined as

info: string &log &optional.

While other variables can be written to the file, the variable I specified is unfortunately not written and even prevents log files of others from being output. So what am I missing? @Benjamin_Bannier

Christian_Kreibich1 · January 18, 2023, 6:38am

Hi there,

It’d really help to see a minimal, runnable example so we can iterate on something reproducible.

A few tips:

You should not edit the scripts below scripts/base because doing so will prevent you from shipping your changes independently from the Zeek distribution in a Zeek package. Try writing your code based on your own event handlers instead, just like the main.zeek you’re looking at.
You’re defining filename_source as a variable local to your zeek_init handler, so you cannot have it available in set_info — I suspect you’re either using a global or calling packet_source() again somewhere (which should be fine).
The path member of the PacketSource record is already a string, so you can just say f$info = filename_source$path.

and even prevents log files of others from being output

That’s a red flag — I suspect Zeek exited or reported warnings, perhaps based on grammatical or runtime errors in your script.

Best,
Christian

SFD · January 20, 2023, 12:20pm

Thanks for your help. I am really appreciated. @Benjamin_Bannier @Christian_Kreibich1

The problem was solved and I got the value I wanted.