<font size="4"><font face="times new roman,serif">Actually, -5 comes from the meaning of the "len" which is specified in the protocol itself. I also try to add 5 on the &length to the record type. It still generate same exception. So I guess it is not the overall length of the record, but the length before "rest". <br>
Your second method to put length on the bytestring instead of record actually generate the incremental input warning. <br><br>Actually, I also consider about define "rest" as a uint8[]. But I just don't know how to declare the array type in event.bif. How can I pass the array of uint8 as the input to the event handler?<br>
<br><br></font></font><br><div class="gmail_quote">On Fri, Aug 26, 2011 at 12:03 PM, Seth Hall <span dir="ltr"><<a href="mailto:seth@icir.org">seth@icir.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
On Aug 26, 2011, at 12:46 PM, Hui Lin wrote:<br>
<br>
> 1217561494.208541 weird: binpac exception: out_of_bound: Dnp3_Test:src_addr: 8 > 3<br>
><br>
> 8 is the size of all data before "rest" the bytestring, and 3 is the size of data "start" and "len". "len" is used to define the &length of this record. It seems that after "len", you can not define extra data, such as "ctrl", "dest_addr" and doing this will generate the above exception. However, if you change the type of all data after "len" into bytestring, then the exception will not happen. But I still want to keep those data as the "uint8". Any suggestion to solve this problem?<br>
<br>
</div>It looks like you probably want to do: &length=(8+len)<br>
<br>
You also forgot to explain what the "5" is for and it looks like binpac tried to parse 5 bytes too far (8>3). From a more broad perspective, if you have framing around this parse unit (&length applied to a parent unit) it probably makes more sense to define this record like this:<br>
<div class="im"><br>
type Dnp3_Test = record {<br>
start: uint16;<br>
len: uint8;<br>
ctrl: uint8;<br>
dest_addr: uint16;<br>
src_addr: uint16;<br>
</div> rest: bytestring &length=len;<br>
} &byteorder = bigendian;<br>
<br>
Binpac shouldn't have any problems with that as long as it can calculate the fully parsed record size based on a parent record. (to avoid complaints about incremental parsing)<br>
<br>
.Seth<br>
<font color="#888888"><br>
--<br>
Seth Hall<br>
International Computer Science Institute<br>
(Bro) because everyone has a network<br>
<a href="http://www.bro-ids.org/" target="_blank">http://www.bro-ids.org/</a><br>
<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Hui Lin<br>Research Assistant<br>DEPEND Research Group, ECE Department<br>University of Illinois at Urbana-Champaign<br><a href="mailto:hlin33@illinois.edu" target="_blank">hlin33@illinois.edu</a><br>