[Bro-Dev] Help creating new analyzer

Seth Hall seth at icir.org
Fri Apr 15 12:18:18 PDT 2011

On Apr 15, 2011, at 2:37 PM, Kristin Stephens wrote:

> Attached are my .pac files. There's close to nothing in them though. I don't use &endofdata anywhere.

I think you found a bug in binpac.  I've noticed that bytestrings aren't handled correctly everywhere as you would expect if they have a static length (as it seems to be happening here).

In bgp-protocol.bro, if you change...

        marker: bytestring &length=16;
        marker: uint8[16];

that will fix a piece of the problem, but you also need to define the total length of your outer containing unit (BGP_Message).  The following code will do it.

type BGP_Message = record {
        marker: uint8[16];
        length: uint16;
        type: uint8;
        msg: bytestring &restofdata;
} &byteorder = bigendian &length=length;

With that change to the BGP_Message, it compiles fine for me.  Looking forward to a BGP analyzer! :)


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list