Binpac http

Zeek
1

Hi,

I'm new to binpac but really like the concept (sick of hand writing
protocol decoders). I'm working on using binpac in a project to decode
pcap files. I have http mostly working but came across a problem with
getting the response body from responses that don't have a
content-length header.

RFC2616 section 4.4 5) says that the message length can be determined by
the server closing the connection. I think that the server must use a
Connection: close header if it's going to close the connection after the
response. How can I express this in binpac? I can add another delivery
mode and set that based on the presence of the Connection: close header
but am a little unclear on how to get the rest of the flow.

I'm setting delivery_mode_ = CLOSE if Content-Length doesn't exist and
Connection: close does exist.

In HTTP_Body I've added a CLOSE -> rest: bytestring &restofflow &chunked;

I have:
refine typeattr HTTP_Body += &let {
    process_message: bool = http_body($context.connection.http_conn, body);
};

http_body() is never called unless there is a Content-Length.

Any thoughts?

Regards,
Matt Thompson

2

I also tried using &restofdata instead of &restofflow.

The BinPAC user guide says &restofdata will grab the rest of the data
available in the FlowBuffer. Using &restofdata results in binpac
compiler returning "error: cannot handle incremental input".

It just occurred to me that I'm not indicating that the flow has "ended"
so how is it to know that &restofflow is satisfied? Am I missing an API
call other than NewData()?

Cheers,
Matt Thompson

3

I'm new to binpac but really like the concept

Hi Matt. I don't want you to feel like we've been ignoring you. I've been meaning to look into your question closer and I'll make sure and get to it ASAP!

(sick of hand writing protocol decoders).

I can get behind this sentiment. :slight_smile:

.Seth