[Bro] Accessing index of an uint8 array inside record
TQ
nothinrandom at gmail.com
Sun Nov 18 08:44:58 PST 2018
Hey Jon,
I tried that, but the log is empty for some reason, with only the headers
being populated. Dpd.log wasn't generated, so I couldn't figure out
error. I ended up using bytestring &length=4, and this allows me to access
using ${Record_A.record_b.data[0]}. Bizarre as these two are equivalent,
right?
Thanks,
On Sun, Nov 18, 2018 at 7:05 AM Jon Siwek <jsiwek at corelight.com> wrote:
> On Sat, Nov 17, 2018 at 1:06 PM TQ <nothinrandom at gmail.com> wrote:
> >
> > What is the correct way of accessing the index of an array of uint8
> inside a record?
> >
> > In protocol.pac, I have:
> >
> > type Record_A = record {
> > record_b : Record_B;
> > } &byteorder=littleendian;
> >
> > type Record_B = record {
> > data: uint8[4];
> > } &byteorder=littleendian;
> >
> >
> > In analyzer.pac, I tried using ${Record_A.record_b.data[0]}, but the log
> becomes empty. However, if I change data from uint8[4] to uint32 and used
> ${Record_A.record_b.data}, then the log gets generated correctly.
>
> How about this:
>
> ${Record_A.record_b.data}[0]
>
> I didn't explicitly try it out, but just assuming that the syntax is
> only sophisticated enough to recognize fields, not arrays, so
> ${Record_A.record_b.data} transforms from uint8[] (binpac) to a uint8*
> (c++) and then you index into that.
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181118/0b1ab767/attachment.html
More information about the Bro
mailing list