[Bro] Confusing binPAC error...

[Jeff Barber]

Dane,

As you've listed it, msg is of type TEST_PDU, which is a record containing
another record (of type 't_header' named 'data'). You can't ignore the
inner record. Looks like you should be using "${msg.data.b1}" in your
printf.

Also, you're not showing a "b3" anywhere so that should come up undeclared
as well.

HTH


On Wed, Oct 19, 2016 at 5:45 AM, Dane Wullen <brot212 at googlemail.com> wrote:

> Hi there,
>
> I've tried to implement a little test analyzer to detect TCP payload
> with 2 bytes in it, just to know how binpac works.
>
> Here's my protocol.pac:
>
> type t_header = record {
>      b1 : uint8;
>      b2 : uint8;
> }
>
> type TEST_PDU(is_orig: bool) = record {
>      data : t_header;
> } &byteorder = bigendian
>
> Here's my analyzer.pac
>
> refine flow TEST_Flow += {
>      function proc_test_message(msg: TEST_PDU): bool
>          %{
>          printf("Read TEST_PDU\n");
> BifEvent::generate_test_event(connection()->bro_analyzer(),
> connection()->bro_analyzer()->Conn());
>          return true;
>          %}
> };
>
> refine typeattr TEST_PDU += &let {
>      proc: bool = $context.flow.proc_test_message(this);
> };
>
> Everything works fine, but when I want to print my byte-values (
> printf("Val 1: %d, Val 2: %d, Val 3: %d", ${msg.b1}, ${msg.b2},
> ${msg.b3}); ),
> I get an error while making the file which says that " 'b1' undeclared".
> Even if I put an if-statement to check if those values are undeclared (
> if( ${msg.b1} != NULL && ${msg.b2} != NULL && ${msg.b3} != NULL)),
> I still get the same error.
> Can someone help me? :D Or tell me how to proper use C++ code in binPAC?
>
> Thanks!
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161019/176c9368/attachment-0001.html