<font size="4"><font face="times new roman,serif"><br></font></font><br><div class="gmail_quote">On Mon, Aug 29, 2011 at 11:57 AM, Seth Hall <span dir="ltr"><<a href="mailto:seth@icir.org">seth@icir.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im"><br>
On Aug 26, 2011, at 3:12 PM, Hui Lin wrote:<br>
<br>
> Actually, -5 comes from the meaning of the "len" which is specified in the protocol itself. I also try to add 5 on the &length to the record type. It still generate same exception. So I guess it is not the overall length of the record, but the length before "rest".<br>
> Your second method to put length on the bytestring instead of record actually generate the incremental input warning.<br>
<br>
</div>Ah, ok. So this is your "top level" data structure?<br>
<br>
It just looks to me like you might be doing your field length calculation wrong. I'd try thinking about it a bit more.<br>
<br>
Alternately, if all of the messages start with "start" and "len" like you have in the record that you sent, you could make a higher level container and apply the length there to provide yourself a framing unit. Like this...<br>
<br>
type Dnp3_Head = record {<br>
start: uint16;<br>
len: uint8;<br>
# len-3 could very well be wrong since I'm probably misunderstanding the protocol.<br>
body: Dnp3_Test &length = len-3;<br>
} &byteorder=bigendian;<br></blockquote><div><br><font size="4">I was doing this before actually. There is still problem when you put a uint8 data type after this high level record. However, I find that right after the int data type, you have to set a "bytestring" to eliminate this problem. I don't know why. So what I am doing is that I actually defined a dump variable which is of type bytestring with length 0 and it works. </font> <br>
</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
type Dnp3_Test = record {<br>
<div class="im"> ctrl: uint8;<br>
dest_addr: uint16;<br>
src_addr: uint16;<br>
</div> # applying &length to the parent unit should allow us to use &restofdata<br>
rest: bytestring &restofdata;<br>
} &byteorder = bigendian;<br>
<div class="im"><br>
> Actually, I also consider about define "rest" as a uint8[]. But I just don't know how to declare the array type in event.bif. How can I pass the array of uint8 as the input to the event handler?<br>
<br>
</div>I would probably try to avoid doing that unless the data makes sense as an array of ints.<br>
<div><div></div><div class="h5"><br>
.Seth<br>
<br>
--<br>
Seth Hall<br>
International Computer Science Institute<br>
(Bro) because everyone has a network<br>
<a href="http://www.bro-ids.org/" target="_blank">http://www.bro-ids.org/</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Hui Lin<br>Research Assistant<br>DEPEND Research Group, ECE Department<br>University of Illinois at Urbana-Champaign<br><a href="mailto:hlin33@illinois.edu" target="_blank">hlin33@illinois.edu</a><br>