[Bro] Triggering events on incomplete PDUs
rrbarbosa at gmail.com
Wed Apr 22 02:34:55 PDT 2015
I am implementing a simple protocol analyzer for DLMS (smart metering
protocol), and I am trying to understand how the events are triggered.
Basically, I am interested in the first few bytes of the PDU, which
identify the types of requests/responses (e.g.: read, write,
authentication, etc). I implemented an analyzer for these bytes based on
the other protocols available, and I am able to trigger some events with
the values I need when parsing an example file.
However, the event only seem to be triggered when the full PDU is
avaliable. This is a big problem because the `snaplen` used for the capture
was quite small, thus most of the PDUs are incomplete.
My question is: Is there is a way that I can force an event to be
triggered as soon as the first few bytes are available?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro