% Generated by roxygen2: do not edit by hand
% Please edit documentation in R/pcap_to_zeek.R
\name{pcap_to_zeek}
\alias{pcap_to_zeek}
\title{Process a PCAP with Zeek and create Parquet files}
\usage{
pcap_to_zeek(pcap, out_dir = tempfile(pattern = "zeek"), zeek_opts = c(), ...)
}
\arguments{
\item{pcap}{path to PCAP to process. (\code{\link[=path.expand]{path.expand()}} will be called on this value)}

\item{out_dir}{path to Parquet files. (\code{\link[=path.expand]{path.expand()}} will be called on this value)
If the directory does not exist it will be created. If ho directory is specified
a temporary directory will be created and used. You should
call \code{\link[=unlink]{unlink()}} on this path if you used a temporary directory.}

\item{zeek_opts}{extra options passed to to Zeek command line. NOTE:
\code{--no-checksums}, \code{LogAscii::use_json=T}, and \code{Log::default_scope_sep='_'}
are already handled by this function; no need to specify them.}

\item{...}{extra named parameters passed on to \code{\link[arrow:write_parquet]{arrow::write_parquet()}}}
}
\value{
length 1 character vector of the expanded path of the \code{out_dir}
}
\description{
Process a PCAP with Zeek and create Parquet files
}
\note{
the \code{zeek} binary \strong{must} be available on \code{PATH}. You can use the
environment variable \code{ZEEK_PATH} as a hint where \code{\link[=find_zeek]{find_zeek()}} will
look for the \code{zeek} binary.
}
\examples{
loc <- tryCatch(
  pcap_to_zeek(system.file("pcap/ssh.pcap", package = "zeekr")),
  error = function(e) message("No Zeek")
)

if (!is.null(loc)) {
  read_zeek_logs(loc)
  unlink(loc) # don't do this IRL until you're done working with or saving.
}
}