<font size="4"><font face="times new roman,serif">It is the DNP3 protocol. I kind of refer to the modbus protocol that shared from Dina. In modbus, the header contain the length field, so it is straightforward to set the length of the flowunit. But DNP3 does not contain such field to directly indicate the length of the application level fragment. <br>
</font></font><div><font class="Apple-style-span" face="'times new roman', serif" size="4"><br></font></div><div><font class="Apple-style-span" face="'times new roman', serif" size="4">The structure is kind of more complex. Some request will contain addition headers and objects, so you can only know the length of the whole fragment when you parse them all. Or at least parse this additional header (but there is also no length field in this additional header). I don't quite follow what do you mean "framing it to the packet". Any further suggestion?</font></div>
<div><font class="Apple-style-span" face="'times new roman', serif" size="4"><br></font><div class="gmail_quote">On Wed, Jul 20, 2011 at 9:56 PM, Seth Hall <span dir="ltr"><<a href="mailto:seth@icir.org">seth@icir.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im"><br>
On Jul 21, 2011, at 12:41 AM, Hui Lin wrote:<br>
<br>
> XXX_Request is the flowunit data. My problem is that after header is parsed, I still don't know the length of the whole XXX_Request data unit.<br>
<br>
</div>Presumably this is for the DNP3 protocol? There isn't any framing around the request with the length? Are they framing it to the packet perhaps? (I'm running into sort of similar trouble with the SSL analyzer and binpac doesn't let you frame to the packets).<br>
<br>
I don't think you can use datagram if the protocol you're working on is TCP since the packets could be fragmented or out of order. I'd love to be proven wrong though....<br>
<br>
.Seth<br>
<font color="#888888"><br>
--<br>
Seth Hall<br>
International Computer Science Institute<br>
(Bro) because everyone has a network<br>
<a href="http://www.bro-ids.org/" target="_blank">http://www.bro-ids.org/</a><br>
<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Hui Lin<br>Research Assistant<br>DEPEND Research Group, ECE Department<br>University of Illinois at Urbana-Champaign<br><a href="mailto:hlin33@illinois.edu" target="_blank">hlin33@illinois.edu</a><br>
</div>