<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.5730.13" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=609291914-02122008><SPAN class=359085017-02122008>Hi
Ruoming,</SPAN></SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=609291914-02122008><SPAN
class=359085017-02122008></SPAN></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=609291914-02122008><FONT face=Arial><FONT
color=#0000ff><FONT size=2>Thanks for the answer. First, I would like to
say how impressed I am with binpac capabilities and the approach used.
Once I had a test environment setup and went over the sample<SPAN
class=359085017-02122008>s</SPAN> and documentation, I was able to develop a
fairly extensive decoder for a relatively complex protocol (IIOP) in just a day
or so<SPAN class=359085017-02122008> (took longer to go over the protocol
specs).</SPAN></FONT></FONT></FONT></SPAN></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=609291914-02122008></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=609291914-02122008></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=609291914-02122008>Regarding the issue in question, the padding is
not always at the end. Depending on <SPAN
class=359085017-02122008>some</SPAN> protocol data (i.e. version), the
ByteArray record can be either in mid packet or at the end. </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=609291914-02122008>The things are complicated by the fact that this
record is part of other records (that ultimately depend on version)<SPAN
class=359085017-02122008> - and I would not like to duplicate
records with every version.</SPAN> </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=609291914-02122008></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=609291914-02122008></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=609291914-02122008><FONT color=#0000ff>As of
now I <SPAN class=359085017-02122008>found a</SPAN> <SPAN
class=359085017-02122008>solution by</SPAN> chang<SPAN
class=359085017-02122008>ing: </SPAN> pac_record.cc:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=609291914-02122008><FONT
color=#0000ff></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=609291914-02122008><FONT
color=#0000ff> void RecordPaddingField::GenFieldEnd(Output* out_cc, Env*
env, const DataPtr& field_begin)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=609291914-02122008>.............</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=609291914-02122008>case PAD_TO_NEXT_WORD:</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=609291914-02122008>.....</SPAN></FONT></DIV>
<DIV dir=ltr align=left><SPAN class=609291914-02122008><FONT face=Arial><FONT
color=#0000ff><FONT size=2>// new code:<SPAN class=359085017-02122008> <SPAN
class=359085017-02122008><FONT face=Arial color=#0000ff size=2>disable the
padding if exceeds the packet size (not sure about all
implications)</FONT></SPAN></SPAN></FONT></FONT></FONT></SPAN></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=609291914-02122008> out_cc->println("%s = (%s == 0 ||
(%s + %s > %s)) ? 0 : %d -
%s;",<BR> padding_var,<BR> padding_var,<BR> padding_var,<BR> field_begin.ptr_expr(),<BR> env->RValue(end_of_data),<BR> wordsize_,<BR> padding_var);</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=609291914-02122008>//
original code:</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2> //
out_cc->println("%s = (%s == 0) ? 0 : %d -
%s;",<BR> // padding_var,<BR> // padding_var,<BR> // wordsize_,<BR> // padding_var);</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><SPAN class=359085017-02122008><FONT face=Arial color=#0000ff size=2>Any
feedback will be highly appreciated.</FONT></SPAN></DIV>
<DIV><SPAN class=359085017-02122008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=359085017-02122008><FONT face=Arial color=#0000ff size=2>Thank
you,</FONT></SPAN></DIV>
<DIV><SPAN class=359085017-02122008><FONT face=Arial color=#0000ff
size=2>Laurentiu</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> ruoming@gmail.com
[mailto:ruoming@gmail.com] <B>On Behalf Of </B>Ruoming Pang<BR><B>Sent:</B>
Monday, December 01, 2008 9:03 PM<BR><B>To:</B> Cucos, Laurentiu<BR><B>Cc:</B>
Bro@bro-ids.org<BR><B>Subject:</B> Re: [Bro] FW: binpac related
question<BR></FONT><BR></DIV>
<DIV></DIV>Hi Laurentiu,
<DIV><BR></DIV>
<DIV>Is the padding always at the end? If so, you can use:</DIV>
<DIV><BR></DIV>
<DIV>padding: bytestring &restofdata;</DIV>
<DIV><BR></DIV>
<DIV>Ruoming<BR><BR>
<DIV class=gmail_quote>2008/12/1 Cucos, Laurentiu <SPAN dir=ltr><<A
href="mailto:Laurentiu.Cucos@compuware.com">Laurentiu.Cucos@compuware.com</A>></SPAN><BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV>
<P><FONT face=Arial color=#000000 size=2>Hi All,</FONT> </P>
<P><FONT face="Times New Roman">Tying to use binpac to create a new protocol
analyzer I run into a small issue relative to byte alignment. I am thinking
this must be a known aspect however I didn't find much documentation about it.
</FONT></P>
<P><FONT face="Times New Roman">Padding in binpac works well inside the
packet. However, sometime the packet ends with a structure that requires
padding but the packet doesn't carry the extra bytes for the padding. As a
result binpac fires an exception and the parsing is terminated before
extracting the data. </FONT></P>
<P><FONT face="Times New Roman">Here is a sample code:</FONT> <BR><FONT
face="Times New Roman">type ByteArray = record{</FONT>
<BR> <FONT
face="Times New Roman">len : uint32;</FONT>
<BR> <FONT
face="Times New Roman">data: uint8[len];
</FONT><BR> <FONT
face="Times New Roman">pad : padding align 4;</FONT> <BR><FONT
face="Times New Roman">};</FONT> </P>
<P><FONT face="Times New Roman">When the last 6 bytes of a packet that ends
with the above record is: 00 00 00 02 AA BB (with:
len=00 00 00 02; data ={AA, BB}) binpac throws: </FONT></P>
<P><FONT face="Times New Roman">0.000000 binpac exception: binpac exception:
out_of_bound: ByteArray: 8 > 6</FONT> </P><BR>
<P><FONT face="Times New Roman">Removing the padding entry from the code above
results in a correct execution, however the padding is needed for the case
when ByteArray is strictly inside the packet. </FONT></P>
<P><FONT face="Times New Roman">The solution I am thinking is way too complex
(pass some arguments that will help decide if the padding is needed), but I
was wondering if there is a much more elegant approach.</FONT></P>
<P><FONT face="Times New Roman">Another option will be to change the binpac
compiler code (pac_record.cc) in method: void
RecordPaddingField::GenFieldEnd(Output* out_cc, Env* env, const DataPtr&
field_begin) but I am thinking this case should be covered in a different
way.</FONT></P>
<P><FONT face="Times New Roman">Any suggestions would be greatly
appreciated.</FONT> </P>
<P><FONT face="Times New Roman">Thank you,</FONT> <BR><FONT
face="Times New Roman">Laurentiu Cucos</FONT> </P><BR><BR><FONT face=Arial
size=1><FONT size=2><FONT size=1>The contents of this e-mail are intended for
the named addressee only. It contains information that may be confidential.
Unless you are the named addressee or an authorized designee, you may not copy
or use it, or disclose it to anyone else. If you received it in error please
notify us immediately and then destroy
it</FONT>.</FONT><BR><BR></FONT></DIV></DIV><BR>_______________________________________________<BR>Bro
mailing list<BR><A href="mailto:bro@bro-ids.org">bro@bro-ids.org</A><BR><A
href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro"
target=_blank>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro</A><BR></BLOCKQUOTE></DIV><BR></DIV></BODY></HTML>