[Bro] Confusing binPAC error...

Dane Wullen brot212 at googlemail.com
Thu Oct 20 14:07:48 PDT 2016 

Hey,

thanks for your answer! Now I'm able to operate with the records!

Am 19.10.2016 um 17:09 schrieb Jeff Barber:
> Dane,
>
> As you've listed it, msg is of type TEST_PDU, which is a record 
> containing another record (of type 't_header' named 'data'). You can't 
> ignore the inner record. Looks like you should be using 
> "${msg.data.b1}" in your printf.
>
> Also, you're not showing a "b3" anywhere so that should come up 
> undeclared as well.
>
> HTH
>
>
> On Wed, Oct 19, 2016 at 5:45 AM, Dane Wullen <brot212 at googlemail.com 
> <mailto:brot212 at googlemail.com>> wrote:
>
>     Hi there,
>
>     I've tried to implement a little test analyzer to detect TCP payload
>     with 2 bytes in it, just to know how binpac works.
>
>     Here's my protocol.pac:
>
>     type t_header = record {
>          b1 : uint8;
>          b2 : uint8;
>     }
>
>     type TEST_PDU(is_orig: bool) = record {
>          data : t_header;
>     } &byteorder = bigendian
>
>     Here's my analyzer.pac
>
>     refine flow TEST_Flow += {
>          function proc_test_message(msg: TEST_PDU): bool
>              %{
>              printf("Read TEST_PDU\n");
>     BifEvent::generate_test_event(connection()->bro_analyzer(),
>     connection()->bro_analyzer()->Conn());
>              return true;
>              %}
>     };
>
>     refine typeattr TEST_PDU += &let {
>          proc: bool = $context.flow.proc_test_message(this);
>     };
>
>     Everything works fine, but when I want to print my byte-values (
>     printf("Val 1: %d, Val 2: %d, Val 3: %d", ${msg.b1}, ${msg.b2},
>     ${msg.b3}); ),
>     I get an error while making the file which says that " 'b1'
>     undeclared".
>     Even if I put an if-statement to check if those values are
>     undeclared (
>     if( ${msg.b1} != NULL && ${msg.b2} != NULL && ${msg.b3} != NULL)),
>     I still get the same error.
>     Can someone help me? :D Or tell me how to proper use C++ code in
>     binPAC?
>
>     Thanks!
>
>     _______________________________________________
>     Bro mailing list
>     bro at bro-ids.org <mailto:bro at bro-ids.org>
>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>     <http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161020/d6685786/attachment.html

More information about the Bro mailing list