[Bro-Dev] BinPac - Many repeated messages in the same packet
Aaron Eppert
aaron.eppert at packetsled.com
Wed Oct 25 16:16:52 PDT 2017
I am running into an implementation issue with BinPac and would hope
to find a few pointers.
I have a protocol that loads a given TCP packet with as many publish
messages as possible in a worst case scenario - often it just has a
single message, but it is not guaranteed. When a publish message
contains more than one subsequent message, there is not an indicator
that another message follows.
The packet looks, generally like this:
+-------------------------------------+
| Message 0 |
+-------------------------------------+
| Message 1 |
+-------------------------------------+
| Message 2 |
+-------------------------------------+
| ... |
+-------------------------------------+
| Message N-2 |
+-------------------------------------+
| Message N-1 |
+-------------------------------------+
| Message N |
+-------------------------------------+
The protocol definition code I have written as follows:
type SPROTO_messages = record {
thdr : uint8;
hdrlen : uint8;
variable_header : case msg_type of {
SPROTO_CONNECT -> connect_packet : SPROTO_connect(hdrlen);
SPROTO_SUBSCRIBE -> subscribe_packet : SPROTO_subscribe(hdrlen);
SPROTO_SUBACK -> suback_packet : SPROTO_suback(hdrlen);
SPROTO_PUBLISH -> publish_packet : SPROTO_publish(hdrlen);
SPROTO_UNSUBSCRIBE -> unsubscribe_packet : SPROTO_unsubscribe(hdrlen);
default -> none : empty;
};
} &let {
msg_type : uint8 = (thdr >> 4);
};
type SPROTO_PDU(is_orig: bool) = record {
sproto_messages : SPROTO_messages[];
} &byteorder=bigendian;
—
I can tell via Wireshark that I am definitely missing messages. Any
advice on a better way to implement the above would be greatly
appreciated.
Aaron
More information about the bro-dev
mailing list