[Bro] Syntax Question - Nested Switch Case

TQ nothinrandom at gmail.com
Mon Oct 15 22:37:35 PDT 2018


Hello Bro Members,

I apologize if this is not the right mailing list... I do not wish to spam
everyone. I just picked up Bro a few days ago, to still learning the ropes.
I have a syntax question that I can't seem to find anywhere. How do you do
a nested switch case inside a record? I have some data
0xAABBCCDD01020304 or 0xAABBCCDD01020405 that I need to verify that the
header is 0xAABBCCDD and switch based on the last two bytes, either 0x0304
or 0x0405. Is this a good practice of switch record since data length will
change based on the command. The nested case I have below is incorrect and
is throwing error "make[3]: *** [test_pac.h] Segmentation fault (core
dumped)"

Currently, I have:

enum cmd_codes {
NOP = 0x00000000,
DEVICE_HEADER = 0x AABBCCDD,
DEVICE_CMD2_1 = 0x0304,
        DEVICE_CMD2_2 = 0x0405
};

type Header = record {
header: uint32; # header
cmd1: uint16; # 0x0102
cmd2: uint16; # 0x0304 or 0x0405
} &byteorder=bigendian;

type Device_Response = record {
header: Device_Header;
data: case(header.header) of {
DEVICE_HEADER -> head: case(header.cmd2) of {
DEVICE_CMD2_1  -> info1: Record_A;

     DEVICE_CMD2_2  -> info2: Record_B;

};
# All the rest
default -> unknown: bytestring &restofdata;
};
} &byteorder=littleendian;

type Record_A = record {
# some data goes here
}

type Record_B = record {
# some data goes here
}

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181015/14e47c29/attachment-0001.html 


More information about the Bro mailing list