<font><font face="arial,helvetica,sans-serif"><br></font></font><br><div class="gmail_quote">On Mon, Feb 11, 2013 at 10:00 AM, Robin Sommer <span dir="ltr"><<a href="mailto:robin@icir.org" target="_blank">robin@icir.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br>
On Sun, Feb 10, 2013 at 15:48 -0600, you wrote:<br>
<br>
> Unfortunately, yes, you needed the &length field. Otherwise:<br>
><br>
> /home/****/bro/src/dnp3-protocol.pac:42: error : cannot handle incremental<br>
> input<br>
<br>
</div>Too bad, that sounds like a case it should be able to support rather<br>
easily.<br>
<div class="im"><br>
> Then the interesting question is when binpac can handle incremental input?<br>
<br>
</div>I have no idea ... It might actually be worth looking at the code and<br>
see where it stumbles. And/or try the dce_rpc approach as we<br>
discussed.<br></blockquote><div><br>Reaching a stuck point. I included some of my studies here and also my question. <br><br><br>**********************************************************************************************<br>
In dce_rpc, it is actually easy for his purpose. <br><br>type DCE_RPC_PDU = record {<br> # Set header's byteorder to little-endian (or big-endian) to<br> # avoid cyclic dependency.<br> header : DCE_RPC_Header;<br>
frag : bytestring &length = body_length;<br> auth : DCE_RPC_Auth(header);<br>} &let {<br> body_length: int =<br> header.frag_length - sizeof(header) - header.auth_length;<br>
frag_reassembled: bool =<br> $context.flow.reassemble_fragment(frag, header.lastfrag);<br> body: DCE_RPC_Body(header)<br> withinput $context.flow.reassembled_body()<br> &if frag_reassembled;<br>
} &byteorder = header.byteorder,<br> &length = header.frag_length; # length of the PDU<br><br>frag already receive byte string, so it uses a separate flow buffer to reorder or reassemble the byte string in frag. <br>
"withinput" can be understood as take the following bytes as byte string and give it to "body" to parse. <br><br>**************************************************************************************************<br>
<br>I need to play flow_buffer_. The flow buffer object that is directly used by binpac. <br><br>Let's say I have two network packets of 28 bytes. <br>1 2 3 ....28<br><br>29 30 ... 56<br><br>If I define a record like following to parse network packets:<br>
<br>type req = record {<br> header: Header; #(8 bytes)<br> payload : uint16 (2bytes)<br>} &length = 10<br>&let{<br> incBuff : bool = $context.flow.increaseBuffer(18); <br>}<br> <br>See that I fixed the length of req record with correct length. In increaseBuffer function, I directly call GrowFrame function. This can increase flow buffer from 10 to 18. Then I can see binpac do incremental parsing. Binpac does not care at all where those bytes spanned, it just parse like<br>
1 2 3 ....18<br>19 ... 36<br>37 ... 54. <br>55, 56 (probably discarded)<br><br>However, the problem is that I can not read bytestring stored in the flow buffer if it is spanned in two network packets. I try to use flow_buffer_->begin and ->end to read the starting and ending point of the flow buffer. But that only works for my manually increase flow buffer within same network packet (because bytes are all ready). When flow buffer is spanned into two network packet (like, 19...36), the flow buffer still fetch data, but I can not use begin and end function, as the bytes are not ready (assert is generated). Also those bytes are not associated with any record member. So I could not catch those bytes. These bytes are what I need for parsing. So any idea to solve this?<br>
<br>Two more study experiments are under go....To be continued. <br><br><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5"><br>
Robin<br>
<br>
--<br>
Robin Sommer * Phone <a href="tel:%2B1%20%28510%29%20722-6541" value="+15107226541">+1 (510) 722-6541</a> * <a href="mailto:robin@icir.org">robin@icir.org</a><br>
ICSI/LBNL * Fax <a href="tel:%2B1%20%28510%29%20666-2956" value="+15106662956">+1 (510) 666-2956</a> * <a href="http://www.icir.org" target="_blank">www.icir.org</a><br>
</div></div></blockquote></div><br>