initial buffer length

Hui_Lin · May 27, 2015, 3:02pm

Hi Abdelkarim,

In the myproto_Header, do you have some definitions of records before msgSize (whose length is not explicitly specified)? If that is the case, BinPac cannot decide the initial length in order to locate msgSize.

You may refer the DNP3 analyzer that I wrote in a similar way.

type Header_Block = record {
start: uint16 &check(start == 0x0564);
len: uint8;
ctrl: uint8;
dest_addr: uint16;
src_addr: uint16;
} &byteorder = littleendian;

type DNP3_Request = record {
addin_header: Header_Block; ## added by Hui Lin in Bro code
…
} &byteorder = bigendian

Hui_Lin · May 28, 2015, 3:21pm

HI Abdelkarim,

Probably you should try to use the basic data type such as using int for “type” and “chunk” instead of using the bytestring (even with the length defined). I remember that the bytestring did not work for my case either. I don’t remember the reason in details now, but I remember that it is related to how Binpac compiler is implemented.

Best,

Hui Lin

Topic		Replies	Views
initial buffer length Zeek	1	89	May 6, 2022
binpac: variable length Zeek	1	58	May 6, 2022
binpac usage of &length = -1 Development development	5	102	May 6, 2022
BinPac: is there a way to get the length of decoded field? Development development	1	114	May 6, 2022
questions about binpac Zeek	1	65	May 6, 2022

initial buffer length

Related Topics