<font size="4"><font face="times new roman,serif">Hi Seth, Here is a piece code from SSL protocol (as you mentioned that you met the similar problem in SSL protocol)<br></font></font><div><div><div><font class="Apple-style-span" face="'times new roman', serif"><div style="font-size: large; ">
<br></div><div>type SSLRecord(is_orig: bool) = record {</div><div> head0 : uint8;</div><div> head1 : uint8;</div><div> head2 : uint8;</div><div> head3 : uint8;</div><div> head4 : uint8;</div>
<div> rec : RecordText(this, is_orig) &requires(content_type), &restofdata;</div><div>} &length = length+5, &byteorder=bigendian,</div><div> &let {</div><div> version : int =</div><div>
$context.analyzer.determine_ssl_version(head0, head1, head2);</div>
<div><br></div><div> content_type : int = case version of {</div><div> UNKNOWN_VERSION -> 0;</div><div> SSLv20 -> head2+300;</div><div> default -> head0;</div>
<div>
};</div><div><br></div><div> length : int = case version of {</div><div> UNKNOWN_VERSION -> 0;</div><div> SSLv20 -> (((head0 & 0x7f) << 8) | head1) - 3;</div><div>
default -> (head3 << 8) | head4;</div><div> };</div><div>};</div><div style="font-size: large; "><br></div><div style="font-size: large; ">Here the &length is set by its attribute length and length is then decided according to different situation. so I think this might be working in my case? As I can similarly set length to different value according to the function code and then use this to set the &length. </div>
</font></div><div><font class="Apple-style-span" face="'times new roman', serif" size="4"><br></font></div><div><font class="Apple-style-span" face="'times new roman', serif" size="4"><br></font><div class="gmail_quote">
On Thu, Jul 21, 2011 at 4:51 AM, Seth Hall <span dir="ltr"><<a href="mailto:seth@icir.org">seth@icir.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
On Jul 21, 2011, at 1:18 AM, Hui Lin wrote:<br>
<br>
> The structure is kind of more complex. Some request will contain addition headers and objects, so you can only know the length of the whole fragment when you parse them all. Or at least parse this additional header (but there is also no length field in this additional header). I don't quite follow what do you mean "framing it to the packet". Any further suggestion?<br>
<br>
</div>I just mean using the packet length as the length of the request or response. If that's how the protocol works and if binpac supported it (a lot of "if"s), that would provide you the way to give a length to the top parse unit to avoid the incremental parsing error.<br>
<br>
Maybe someone else has a suggestion? I'm unfortunately out of ideas.<br>
<div><div></div><div class="h5"><br>
.Seth<br>
<br>
--<br>
Seth Hall<br>
International Computer Science Institute<br>
(Bro) because everyone has a network<br>
<a href="http://www.bro-ids.org/" target="_blank">http://www.bro-ids.org/</a><br>
<br>
</div></div></blockquote></div><br></div></div></div><br clear="all"><br>-- <br>Hui Lin<br>Research Assistant<br>DEPEND Research Group, ECE Department<br>University of Illinois at Urbana-Champaign<br><a href="mailto:hlin33@illinois.edu" target="_blank">hlin33@illinois.edu</a><br>