Hello all,
I saw a few open source libraries that parse actual packet content and was
interested in incorporating this into Drill's PCAP parser. I was thinking
initially of writing this as a UDF, however, I think it would be much better to
include this directly in Drill. What I was thinking was to create a field
called parsed_packet that would be a Drill Map. The contents of this field
would vary depending on the type of packet. For instance, if it is a DNS
packet, you get all the DNS info, ICMP etc...
Does the community think this is a good idea? Also, given the structure of
the PCAP plugin, I'm not quite sure how to create a Map field with variable
contents. Are there any examples that use the same architecture as the PCAP
plugin?
Thanks,
-- C
