Hi Jeff,
I think the master branch should contain what we wrote before. I run some simple DNP3 test cases included in Bro from master branch and I do see the simple print out message.
Does running your pcap generate any error message? Do you mind sharing the trace that you are using for me to take a look at what is going on?
Best,
Hui Lin
It’s only particular object types and especially those in the request that I’m referring to. I do see response objects fine. I wish I had better pcaps to share, but I’m having trouble finding those myself. 
I have attached one I found on the web which, according to wireshark, has a single write of object type 50, variation 01. It produces these events:
header_block, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1, resp_p=20000/tcp, vlan=0, inner_vlan=0], T, Start, 25605, Len, 18, Ctrl, 196, Dst, 3, Src, 4
application_request_header, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1, resp_p=20000/tcp, vlan=0, inner_vlan=0], T, App, 193, FC, 2
object_header, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1, resp_p=20000/tcp, vlan=0, inner_vlan=0], T, OT, 12801, Qua, 7, Num, 1, RF, 1, 0
object_prefix, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1, resp_p=20000/tcp, vlan=0, inner_vlan=0], T, PREF, 0
(Mnemonics included except for the first two fields which are always c$id and is_orig.)
but there’s no event giving the content of that object type.
I’m not getting any error messages, but just in looking at the .pac files in the dnp3 directory, I see the code apparently parsing all the unique types below, but it doesn’t seem to be generating events for any of them. At least some of those do seem to have had events generated for them in that dnp3-events branch code.
AnaOutStatus32
AnaOutStatus16
AnaOutStatusSP
AnaOutStatusDP
AnaOut32
AnaOut16
AnaOutSP
AnaOutDP
AnaOutEve32woTime
AnaOutEve16woTime
AnaOutEve32wTime
AnaOutEve16wTime
AnaOutEveSPwoTime
AnaOutEveDPwoTime
AnaOutEveSPwTime
AnaOutEveDPwTime
Thanks.
DNP3-Write.pcap (610 Bytes)
Hi Jeff,
I think in the current master, we do support the function code of “write” in the master branch, but not the type of objects used in the given pcap file. In that development branch you mentioned, I think I added as many as event handlers I can. But we could not merge them into the master branch, as at that time, we could not find any sufficient test pcap files that can trigger the event handlers. Probably it is the time for me to search again for the test pcap files again from the Internet. The pacp that you provide may not be used as a test case, as it looks like a truncated communication, i.e., a request without responses. If you have any test pcap, feel free to share with us if that is appropriate for you. Also, if you need to use these event handlers, I think that you can also go for that development branch. And also feel free to let me know if there is any bug in that branch, I can work to fix them.
Best,
Hui Lin
Thanks a lot for the response. That makes sense. If I find some packet captures for this stuff, I will share them if I can.