[Bro] Triggering events on incomplete PDUs

Rafael Barbosa rrbarbosa at gmail.com
Tue Apr 28 02:24:37 PDT 2015


I realize that I might not have included enough details. Attached I am
sending the dlms-protocol.pac and dlms-analyzer.pac I created to process
DLMS traffic.

My current goal is to extract the fields on the wrapper (DLMS_Wrapper) even
when the message body (DLMS_Request/DLMS_Reply) is not complete in the
captured traffic. As is, all events I defined are only triggered when a
full PDU is present.

I could not find any information on how to trigger events on incomplete PDUs
on the bro website or mailing list, so any help is welcome.

I can also send the other files in my DLMS analyzer, and generate an
example pcap file for testing, if necessary.


Rafael Barbosa

On Wed, Apr 22, 2015 at 11:34 AM, Rafael Barbosa <rrbarbosa at gmail.com>

> Hi,
> I am implementing a simple protocol analyzer for DLMS (smart metering
> protocol), and I am trying to understand how the events are triggered.
> Basically, I am interested in the first few bytes of the PDU, which
> identify the types of requests/responses (e.g.: read, write,
> authentication, etc). I implemented an analyzer for these bytes based on
> the other protocols available, and I am able to trigger some events with
> the values I need when parsing an example file.
> However, the event only seem to be triggered when the full PDU is
> avaliable. This is a big problem because the `snaplen` used for the capture
> was quite small, thus most of the PDUs are incomplete.
> My question is:  Is there is a way that I can force an event to be
> triggered as soon as the first few bytes are available?
> Best,
> Rafael Barbosa
> Research Consultant
> www.encs.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150428/66da2808/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dlms-analyzer.pac
Type: application/x-ns-proxy-autoconfig
Size: 2509 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150428/66da2808/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dlms-protocol.pac
Type: application/x-ns-proxy-autoconfig
Size: 770 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150428/66da2808/attachment-0001.bin 

More information about the Bro mailing list