[Bro-Dev] Hui Lin_Binpac: handle incremental input for flowunit
Hui Lin
hlin33 at illinois.edu
Wed Jul 20 22:18:34 PDT 2011
It is the DNP3 protocol. I kind of refer to the modbus protocol that shared
from Dina. In modbus, the header contain the length field, so it is
straightforward to set the length of the flowunit. But DNP3 does not contain
such field to directly indicate the length of the application level
fragment.
The structure is kind of more complex. Some request will contain addition
headers and objects, so you can only know the length of the whole fragment
when you parse them all. Or at least parse this additional header (but there
is also no length field in this additional header). I don't quite follow
what do you mean "framing it to the packet". Any further suggestion?
On Wed, Jul 20, 2011 at 9:56 PM, Seth Hall <seth at icir.org> wrote:
>
> On Jul 21, 2011, at 12:41 AM, Hui Lin wrote:
>
> > XXX_Request is the flowunit data. My problem is that after header is
> parsed, I still don't know the length of the whole XXX_Request data unit.
>
> Presumably this is for the DNP3 protocol? There isn't any framing around
> the request with the length? Are they framing it to the packet perhaps?
> (I'm running into sort of similar trouble with the SSL analyzer and binpac
> doesn't let you frame to the packets).
>
> I don't think you can use datagram if the protocol you're working on is TCP
> since the packets could be fragmented or out of order. I'd love to be
> proven wrong though....
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
--
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33 at illinois.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110720/3ff621f4/attachment.html
More information about the bro-dev
mailing list