I have added PTCP frame like below . The packet which I am using is having multicast DMAC: 01:80:C2:00:00:0E and SMAC: unicast mac
It is having ether type 0X8892.
Then frame id : 0xff40.
I have added below part in spicy script and just trying to print the data in the zeek script
#spicy file changes
public type Packet = unit {
frame_id: uint16;
ptcp_frame: PTCPFrame if ( 0xff40 <= self.frame_id && self.frame_id <= 0xff5f );
rtc_frame: RTCFrame if ( 0x0100 <= self.frame_id && self.frame_id <= 0xfbff );
dcp_frame: DCPFrame if ( 0xfefc <= self.frame_id && self.frame_id <= 0xfeff );
data: bytes &eod;
};
public type PTCPFrame = unit() {
data: bytes &eod;
};
#zeek file changes
module PacketAnalyzer::SPICY_PROFINETIO;
module ProfinetIO;
export {
type PTCPHeader: record {
## PTCP data
data: string;
};
}
event zeek_init()
{
if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name("Ethernet", 0x8892, "spicy_ProfinetIO") )
print "cannot register ProfinetIO analyzer";
}
#evt file changes
on ProfinetIO::Packet::ptcp_frame -> event ProfinetIO::ptcp_message(self.data);
#zeek script changes
event ProfinetIO::ptcp_message(payload: string)
{
local ph = get_current_packet_header();
local rec: ProfinetIO::PTCPInfo = [
$ts = network_time(),
$smac=ph$l2$src,
$dmac=ph$l2$dst,
$data = payload];
print "Sending ptcp message data >>", rec;
Log::write(ProfinetIO::LOG_PTCP, rec);
}
However I am not getting anything for PTCP packets, whereas using the same parser and analyser I am getting all packets for DCP, RTC protocols
Please help me understand the issue.
This shows that your parser still tries to parse the payload as RTCFrame and not as the PTCPFrame you added. As a note, PTCPFrame parses bytes &eod, so it consumes all input data and Packet.data will always be empty.
We have a section dedicated to debugging in our docs. It contains a lot of information needed when developing Zeek analyzers with Spicy.