I think this would be very useful, particularly if it is easy to add additional parsing methods.
When I started to pcap work, I couldn't find any libraries that combined what we needed in terms of function and license. On Tue, Apr 23, 2019, 9:34 AM Charles Givre <cgi...@gmail.com> wrote: > Hello all, > I saw a few open source libraries that parse actual packet content and was > interested in incorporating this into Drill's PCAP parser. I was thinking > initially of writing this as a UDF, however, I think it would be much > better to include this directly in Drill. What I was thinking was to > create a field called parsed_packet that would be a Drill Map. The > contents of this field would vary depending on the type of packet. For > instance, if it is a DNS packet, you get all the DNS info, ICMP etc... > Does the community think this is a good idea? Also, given the structure > of the PCAP plugin, I'm not quite sure how to create a Map field with > variable contents. Are there any examples that use the same architecture > as the PCAP plugin? > Thanks, > -- C
