initial buffer length

Hui_Lin · May 27, 2015, 3:02pm

Hi Abdelkarim,

In the myproto_Header, do you have some definitions of records before msgSize (whose length is not explicitly specified)? If that is the case, BinPac cannot decide the initial length in order to locate msgSize.

You may refer the DNP3 analyzer that I wrote in a similar way.

type Header_Block = record {
start: uint16 &check(start == 0x0564);
len: uint8;
ctrl: uint8;
dest_addr: uint16;
src_addr: uint16;
} &byteorder = littleendian;

type DNP3_Request = record {
addin_header: Header_Block; ## added by Hui Lin in Bro code
…
} &byteorder = bigendian

Hui_Lin · May 28, 2015, 3:21pm

HI Abdelkarim,

Probably you should try to use the basic data type such as using int for “type” and “chunk” instead of using the bytestring (even with the length defined). I remember that the bytestring did not work for my case either. I don’t remember the reason in details now, but I remember that it is related to how Binpac compiler is implemented.

Best,

Hui Lin

Topic		Replies	Views
initial buffer length Zeek	1	110	May 6, 2022
binpac: variable length Zeek	1	75	May 6, 2022
binpac usage of &length = -1 Development development	5	125	May 6, 2022
Problem about BinPAC , wish to get your help Development development	1	110	May 6, 2022
BinPac: is there a way to get the length of decoded field? Development development	1	183	May 6, 2022

initial buffer length

Related topics