[Bro-Dev] Hui Lin_Binpac: handle incremental input for flowunit

Seth Hall seth at icir.org
Thu Jul 21 04:51:48 PDT 2011

On Jul 21, 2011, at 1:18 AM, Hui Lin wrote:

> The structure is kind of more complex. Some request will contain addition headers and objects, so you can only know the length of the whole fragment when you parse them all. Or at least parse this additional header (but there is also no length field in this additional header).  I don't quite follow what do you mean "framing it to the packet". Any further suggestion?

I just mean using the packet length as the length of the request or response.  If that's how the protocol works and if binpac supported it (a lot of "if"s), that would provide you the way to give a length to the top parse unit to avoid the incremental parsing error.

Maybe someone else has a suggestion?  I'm unfortunately out of ideas.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list