[Bro] Binpac http

Matt Thompson mthompson at hexwave.com
Tue Apr 3 09:52:36 PDT 2012

I also tried using &restofdata instead of &restofflow.

The BinPAC user guide says &restofdata will grab the rest of the data
available in the FlowBuffer. Using &restofdata results in binpac
compiler returning "error: cannot handle incremental input".

It just occurred to me that I'm not indicating that the flow has "ended"
so how is it to know that &restofflow is satisfied? Am I missing an API
call other than NewData()?

Matt Thompson

On 4/3/12 11:36 AM, Matt Thompson wrote:
> Hi,
> I'm new to binpac but really like the concept (sick of hand writing
> protocol decoders). I'm working on using binpac in a project to decode
> pcap files. I have http mostly working but came across a problem with
> getting the response body from responses that don't have a
> content-length header.
> RFC2616 section 4.4 5) says that the message length can be determined by
> the server closing the connection. I think that the server must use a
> Connection: close header if it's going to close the connection after the
> response. How can I express this in binpac? I can add another delivery
> mode and set that based on the presence of the Connection: close header
> but am a little unclear on how to get the rest of the flow.
> I'm setting delivery_mode_ = CLOSE if Content-Length doesn't exist and
> Connection: close does exist.
> In HTTP_Body I've added a CLOSE -> rest: bytestring &restofflow &chunked;
> I have:
> refine typeattr HTTP_Body += &let {
>     process_message: bool = http_body($context.connection.http_conn, body);
> };
> http_body() is never called unless there is a Content-Length.
> Any thoughts?
> Regards,
> Matt Thompson
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list