[Bro-Dev] Help with binpac 'cannot handle incremental input'
Jeff Barber
jbarber at computer.org
Fri Jul 8 09:28:16 PDT 2016
I'm looking to develop a new TCP-based protocol parser using binpac.
Getting the 'cannot handle incremental input' error from binpac. But I
don't understand exactly why I'm seeing it. It happens whenever I use
"flowunit = " instead of "datagram = ". I'm literally changing one line
from the skeleton produced by the binpac quickstarter.
Here's what I'm doing. Creating this as a plugin, so I start with
init-plugin:
bro-aux/plugin-support/init-plugin $SRC/analyzer/fob Bro_Fob fob
Next I run the binpac quickstart:
cd ~/src/binpac_quickstart
./start.py fob "FOB Protocol" $SRC/analyzer/fob --tcp --plugin --buffered
If I now configure and make, everything works fine:
cd $SRC/analyzer/fob
./configure --bro-dist=$BRO_SRC
make
But if I edit src/fob.pac to uncomment the "flowunit =" line (and comment
out the datagram line), I get this error from binpac:
src/fob-protocol.pac:18: error : cannot handle incremental input
Thinking it had something to do with the definition of FOB_PDU there
("data: bytestring &restofdata;"), I removed that line so that my PDU
definition is nothing but:
type FOB_PDU(is_orig: bool) = record {
foo: uint32;
} &byteorder=bigendian;
But I still get the error. I've tried the same thing with current master
branch, and with v2.4.1 and an older version I'm using and I get the same
result in each case.
If I remove all fields from the PDU, it compiles, but that's not very
useful. ;)
I know the flowunit feature works. I see it in other analyzers in the
source tree. Seems like I must be missing something simple in the .pac
files. But I can't figure it out from inspection.
Anybody know what's the trick?
Thanks!
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160708/dbf4a722/attachment.html
More information about the bro-dev
mailing list