Repro is with Zui commit e1da723.

I recently went to update the Custom Brimcap Config article and found something had stopped working since I last ran through the steps. In that doc, logs for a pcap are loaded using Zeek & Suricata that are not the ones bundled with Brimcap, since the doc wants to show users the a la carte steps for working with customized analyzers. What I found was that the Packets button (the shark fin icon) was not becoming active when I clicked on normally eligible Zeek records that I'd loaded.

@jameskerr helped me find the root cause. The problem relates to this chunk of code, which gets called when the user clicks on a record.

The community_id field is present in all the logs generated by the Zeek that we bundle with Brimcap since it includes a non-default Community ID package. However, an out-of-the-box Zeek does not have Community ID enabled by default, so that is(community_id, <string>) check fails 100% of the time on such Zeek logs and the fin never lights up.

I show the effect in the attached video where I have two conn logs generated from the same pcap using out-of-the-box Zeek v6.0.0. The first log is with Zeek in its default config such that the community_id field is not present, and in the second I've uncommented the necessary line in my local.zeek config so that community_id is present. As it shows, in the latter case the Packets fin does indeed become active. It shows "no packets found" when clicked because I didn't happen to have the Brimcap packet index populated, but that's a separate topic.