[Bro] Triggering events on incomplete PDUs

Rafael Barbosa rrbarbosa at gmail.com
Wed Apr 22 02:34:55 PDT 2015


I am implementing a simple protocol analyzer for DLMS (smart metering
protocol), and I am trying to understand how the events are triggered.

Basically, I am interested in the first few bytes of the PDU, which
identify the types of requests/responses (e.g.: read, write,
authentication, etc). I implemented an analyzer for these bytes based on
the other protocols available, and I am able to trigger some events with
the values I need when parsing an example file.

However, the event only seem to be triggered when the full PDU is
avaliable. This is a big problem because the `snaplen` used for the capture
was quite small, thus most of the PDUs are incomplete.

My question is:  Is there is a way that I can force an event to be
triggered as soon as the first few bytes are available?

Rafael Barbosa
Research Consultant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150422/66b8c0a1/attachment.html 

More information about the Bro mailing list