[Zeek-Dev] Dealing with directional out-of-order packet?

Song oldpopsong at qq.com
Sat Jul 6 22:08:12 PDT 2019 

Thank you for your advice.


I agree with you that it is a capture setup problem so I gave up.


Just for the record, if anybody want to try to fix this kind of out-of-order,
avoid to access the derived analyzer class in .pac file, just use the base
class TCP_ApplicationAnalyzer, like below:


%extern{
#include "analyzer/protocol/tcp/TCP.h"
%}

refine connection HBASE_Conn += {
    %member{
        // gap recording structure
    %}

    function set_gap(seq: uint64 ,len: int, orig: bool): void
        %{
        if (orig)
            ...;
        else
            ...;
        %}

    function proc_hbase_preamble(msg: HBASE_Preamble): bool
        %{
        auto t = ((analyzer::tcp::TCP_ApplicationAnalyzer *)
            (bro_analyzer()))->TCP();



If you try to type cast bro_analyzer() back to the original
analyzer::HBase:HBASE_Analyzer *, then you may encounter
troublesome header file circular reference/forward declaration
problem.


Then just call your set_gap() in HBASE_Analyzer::Undelivered()
method like this:


void HBASE_Analyzer::Undelivered(uint64 seq, int len, bool orig)
    {
    tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
    had_gap = true;
    interp->NewGap(orig, len);
    interp->set_gap(seq, len, orig);
    }



And don't forget to remove the return statement in
HBASE_Analyzer::DeliverStream() method when has_gap is true.



And remember that the gapped data will be processed normally
when they finally arrived.



Obviously the real implementation code will be a mess.


song

------------------ Original ------------------
From:  "Jon Siwek";<jsiwek at corelight.com>;
Date:  Jun 26, 2019
To:  "Song"<oldpopsong at qq.com>; 
Cc:  "zeek-dev at zeek.org"<zeek-dev at zeek.org>; 
Subject:  Re: [Zeek-Dev] Dealing with directional out-of-order packet?



On Mon, Jun 24, 2019 at 6:34 PM Song <oldpopsong at qq.com> wrote:

> So my question is: is this other-side gap information available in
> Binpac?

Is it already available in the form you'd prefer?  Possibly not.  You
can maybe look at whether TCP_Analyzer::IsPartial() and
TCP_Analyzer::HadGap() could be used to detect the situation.

Can the exact information you want be made available?  If this is in
the context of your own custom analyzer, you can store any arbitrary
state in the analyzer that you want and access it from BinPAC code.

Ideally, this sounds like something to fix in the capture setup, not
to try to generally workaround in BinPAC/Zeek.

- Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/zeek-dev/attachments/20190707/56d3d1be/attachment.html

More information about the zeek-dev mailing list