[Bro] Accessing index of an uint8 array inside record
Jon Siwek
jsiwek at corelight.com
Sun Nov 18 07:05:18 PST 2018
On Sat, Nov 17, 2018 at 1:06 PM TQ <nothinrandom at gmail.com> wrote:
>
> What is the correct way of accessing the index of an array of uint8 inside a record?
>
> In protocol.pac, I have:
>
> type Record_A = record {
> record_b : Record_B;
> } &byteorder=littleendian;
>
> type Record_B = record {
> data: uint8[4];
> } &byteorder=littleendian;
>
>
> In analyzer.pac, I tried using ${Record_A.record_b.data[0]}, but the log becomes empty. However, if I change data from uint8[4] to uint32 and used ${Record_A.record_b.data}, then the log gets generated correctly.
How about this:
${Record_A.record_b.data}[0]
I didn't explicitly try it out, but just assuming that the syntax is
only sophisticated enough to recognize fields, not arrays, so
${Record_A.record_b.data} transforms from uint8[] (binpac) to a uint8*
(c++) and then you index into that.
- Jon
More information about the Bro
mailing list