[Bro] initial buffer length

[Hui Lin (Hugo)]

Hi Abdelkarim,

In the myproto_Header, do you have some definitions of records before
msgSize (whose length is not explicitly specified)? If that is the case,
BinPac cannot decide the initial length in order to locate msgSize.

You may refer the DNP3 analyzer that I wrote in a similar way.


type Header_Block = record {
        start: uint16 &check(start == 0x0564);
        len: uint8;
        ctrl: uint8;
        dest_addr: uint16;
        src_addr: uint16;
} &byteorder = littleendian;

type DNP3_Request = record {
        addin_header: Header_Block;  ## added by Hui Lin in Bro code
        ....
} &byteorder = bigendian
  &length= 9 + addin_header.len - 5 - 1;


​Hope this helps.

Best,

Hui Lin​

​​

On Wed, May 27, 2015 at 6:52 AM, Abdelkarim benkhadra <
a.benkhadra at hotmail.com> wrote:

>  Hi,
>
> in myproto-protocol.pac, i have:
>
> type myproto_PDU(is_orig: bool) = record {
>   header: myproto_Header;
>   //restofdefinition;
> } &length=header.msgSize;
>
> type myproto_Header = record {
>   //some fields;
>   msgSize: uint16;
>   //restoffields;
> };
> msgSize represents the length of the PDU.
> and when "make"ing bro i get "cannot determine initial buffer length for
> type myproto_PDU".
> i tryed some random values like &length=60 and it works fine.
> i took the modbus analyzer as an exemple to write myproto analyzer but
> without success.
> any ideas?
>



-- 
Hui Lin
PhD Candidate, Research Assistant
Electrical and Computer Engineering Department
University of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150527/4403309d/attachment-0001.html