[Bro-Dev] Help creating new analyzer
Kristin Stephens
ksteph at cs.berkeley.edu
Fri Apr 15 15:18:53 PDT 2011
On Fri, Apr 15, 2011 at 12:18 PM, Seth Hall <seth at icir.org> wrote:
>
> On Apr 15, 2011, at 2:37 PM, Kristin Stephens wrote:
>
> > Attached are my .pac files. There's close to nothing in them though. I don't use &endofdata anywhere.
>
> I think you found a bug in binpac. I've noticed that bytestrings aren't handled correctly everywhere as you would expect if they have a static length (as it seems to be happening here).
>
> In bgp-protocol.bro, if you change...
>
> marker: bytestring &length=16;
> to
> marker: uint8[16];
>
> that will fix a piece of the problem, but you also need to define the total length of your outer containing unit (BGP_Message). The following code will do it.
>
> type BGP_Message = record {
> marker: uint8[16];
> length: uint16;
> type: uint8;
> msg: bytestring &restofdata;
> } &byteorder = bigendian &length=length;
>
> With that change to the BGP_Message, it compiles fine for me. Looking forward to a BGP analyzer! :)
>
Just for the sake of my own understanding. The changes you made above
say the exact same thing I had originally except they don't use the
&length attribute. And normally it would work except there is a bug
with bytestring and setting its &length property?
Kristin
More information about the bro-dev
mailing list