[Bro] Triggering events on incomplete PDUs

Rafael Barbosa rrbarbosa at gmail.com
Tue Apr 28 02:24:37 PDT 2015 

Hi,

I realize that I might not have included enough details. Attached I am
sending the dlms-protocol.pac and dlms-analyzer.pac I created to process
DLMS traffic.

My current goal is to extract the fields on the wrapper (DLMS_Wrapper) even
when the message body (DLMS_Request/DLMS_Reply) is not complete in the
captured traffic. As is, all events I defined are only triggered when a
full PDU is present.

I could not find any information on how to trigger events on incomplete PDUs
on the bro website or mailing list, so any help is welcome.

I can also send the other files in my DLMS analyzer, and generate an
example pcap file for testing, if necessary.

Thanks,
Rafael


Rafael Barbosa

On Wed, Apr 22, 2015 at 11:34 AM, Rafael Barbosa <rrbarbosa at gmail.com>
wrote:

> Hi,
>
> I am implementing a simple protocol analyzer for DLMS (smart metering
> protocol), and I am trying to understand how the events are triggered.
>
> Basically, I am interested in the first few bytes of the PDU, which
> identify the types of requests/responses (e.g.: read, write,
> authentication, etc). I implemented an analyzer for these bytes based on
> the other protocols available, and I am able to trigger some events with
> the values I need when parsing an example file.
>
> However, the event only seem to be triggered when the full PDU is
> avaliable. This is a big problem because the `snaplen` used for the capture
> was quite small, thus most of the PDUs are incomplete.
>
> My question is:  Is there is a way that I can force an event to be
> triggered as soon as the first few bytes are available?
>
> Best,
> Rafael Barbosa
> Research Consultant
> www.encs.eu
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150428/66da2808/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dlms-analyzer.pac
Type: application/x-ns-proxy-autoconfig
Size: 2509 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150428/66da2808/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dlms-protocol.pac
Type: application/x-ns-proxy-autoconfig
Size: 770 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150428/66da2808/attachment-0001.bin

More information about the Bro mailing list