<div dir="ltr"><div><div><div>I finally figured out what's happening by looking at the binpac source. Documenting for posterity: <br><br>Apparently if you use "flowunit", you *must* place the &length= on the record (or somewhere in the derived hierarchy of types under the record). I was under the impression that binpac could figure that out implicitly by measuring the size of the types in the record, and that you only needed to use &length when the field length was determined by a previous field value in the record.<br><br></div>So, anyway this works:<br><div style="margin-left:40px">type FOB_PDU(is_orig: bool) = record {<br> foo: uint32;<br>} &byteorder=bigendian <b>&length=4</b>;<br></div><br></div>My real analyzer will of course do this more dynamically. But at least I have a starting point that builds now.<br><br></div>Cheers<br><div><div><div><br><div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 8, 2016 at 12:28 PM, Jeff Barber <span dir="ltr"><<a href="mailto:jbarber@computer.org" target="_blank">jbarber@computer.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div>I'm looking to develop a new TCP-based protocol parser using binpac. Getting the 'cannot handle incremental input' error from binpac. But I don't understand exactly why I'm seeing it. It happens whenever I use "flowunit = " instead of "datagram = ". I'm literally changing one line from the skeleton produced by the binpac quickstarter.<br></div>Here's what I'm doing. Creating this as a plugin, so I start with init-plugin:<br><br></div><div style="margin-left:40px">bro-aux/plugin-support/init-plugin $SRC/analyzer/fob Bro_Fob fob<br><br></div>Next I run the binpac quickstart:<br></div><div style="margin-left:40px">cd ~/src/binpac_quickstart<br>./start.py fob "FOB Protocol" $SRC/analyzer/fob --tcp --plugin --buffered<br></div><br></div>If I now configure and make, everything works fine:<br></div><div style="margin-left:40px">cd $SRC/analyzer/fob<br>./configure --bro-dist=$BRO_SRC<br>make<br><br></div>But if I edit src/fob.pac to uncomment the "flowunit =" line (and comment out the datagram line), I get this error from binpac:<br><div style="margin-left:40px">src/fob-protocol.pac:18: error : cannot handle incremental input<br></div><br></div><div>Thinking it had something to do with the definition of FOB_PDU there ("data: bytestring &restofdata;"), I removed that line so that my PDU definition is nothing but:<br><br><div style="margin-left:40px">type FOB_PDU(is_orig: bool) = record {<br> foo: uint32;<br>} &byteorder=bigendian;<br></div><br></div><div>But I still get the error. I've tried the same thing with current master branch, and with v2.4.1 and an older version I'm using and I get the same result in each case.<br><br></div><div>If I remove all fields from the PDU, it compiles, but that's not very useful. ;)<br></div><div><br></div><div>I know the flowunit feature works. I see it in other analyzers in the source tree. Seems like I must be missing something simple in the .pac files. But I can't figure it out from inspection.<br><br>Anybody know what's the trick?<br><br></div><div>Thanks!<span class=""><font color="#888888"><br></font></span></div><span class=""><font color="#888888"><div>Jeff<br><br></div></font></span></div></div>
</blockquote></div><br></div></div></div></div></div></div>