1

My command in the .sh file is running.

The command is: ($ZEEK -C -r $i dir)

i: pcap (file) name to be processed

dir: directory to be extracted

When the command is running, there are the extract files in desired location. It works pretty well. But I need that filename in the main.zeek. The question was that how can i access the filename in the main.zeek (used in the .sh file).

As I learned from here, packet_source() function could be called in script. But I can not implement it because I just started using it and I'm trying to get used to the script of Zeek.

In my script (main.zeek), after loading script index which contains packet_source() as the built-in function (@load base/bif/zeek.bif.zeek), how can i define a variable and use it (e.g global filename: function packet_source():, is it valid)?

I would be glad if you help.

SFD
  • 11
  • 3
  • _In my script (main.zeek)_ : It would help if you would show here the relevent part of this `main.zeek` (and also of the shell script which you mention initially). – user1934428 Jan 16 '23 at 11:30
  • Since the *.sh* file simply scans the files (pcaps) and automatically runs Zeek for each file, there is no need to include that code. As I mentioned, I wrote partial of it in detail for clearity. The **$i** variable handles filenames one by one. Zeek also uses this filename with the help of *.sh*. *However, when Zeek process this files, I can not access the names in Zeek (e.g main.zeek)*. The `packet_source` function was suggested for me *to access filenames*. That's why I published this post to get information about the use of function from someone. @user1934428 – SFD Jan 16 '23 at 12:56
  • As for me, I can only say that the command `($ZEEK -C -r $i dir)` by itself does not make much sense. Why do you run it in a subshell (as the parenthesis indicate), and what is the value of the variable `ZEEK`? Further, when you say _I can not access the names in Zeek_, are you refering to the variable `i`? This depends on how the variable has been defined (not what it contains), and for this, the shell script **is** important. One needs to see, whether it is a shell variable or an environment variable. – user1934428 Jan 16 '23 at 13:03
  • There is file that has pcaps. In the .sh script, there is a loop for that pcaps. **$i** takes a different pcap name for each loop. Actually, *multiple pcap files are processed with that*: [link](https://blog.edie.io/2022/01/31/ingesting-pcap-files-with-zeek-and-splunk/), *Reading Multiple PCAP Files with Zeek* part in that shared link is the same as my shell script. *As you mentioned*, I can not access the names in Zeek, **I refer to the variable** `i`. @user1934428 – SFD Jan 16 '23 at 13:22
  • While I don't know _zeek_ at all (that's why I'm writing comments and not an answer), assuming that zeek is executed as child process of your script, it can of course **not** use a shell variable set in the parent process. You can however set an **environment** variable in your shell script, and if zeek is a reasonably written framework, it should be able to access it's environment. Hence I would recommend searching the zeek documentation for how to make use of the environment. – user1934428 Jan 16 '23 at 14:28
  • Another possibility: **If** zeek can be configured by a configuration file, you can generate in your shell script such a configuration file, and pass this information through it. – user1934428 Jan 16 '23 at 14:30

1 Answers1

0

In main.zeek, the variable could be defined as global to use in the every function that script has.

global filename_s: string;

After that, packet_source() is used to access the value. With its $path value, which file is read in there from PCAP would get. It should be placed in event zeek_init().

event zeek_init()
{
local filename_source = packet_source();  
filename_s = filename_source$path;
}

That filename_s has the directory of the file Zeek read. It could be used in that script file (e.g. main.zeek).

SFD
  • 11
  • 3