I have some spicy code that works on a pcap until I have some lost data. Then I want it to resync when it sees the sequence I have set with the synchronize-at. It’s not working, and doesn’t resync at all. Any help is appreciated.
public type Control = unit {
pkts: (Message &synchronize)[] &eod;
};
public type Message = unit {
%synchronize-at = /\x00\x01\x02\x03\x04/;
a: uint8;
b: uint8;
on %synced { print "Synced: %s" % self;
confirm; }
};
Hi @ralyn,
sorry for not getting back to you earlier. You can use the spicy-verbose debug stream to observe what the parser is doing, e.g., by running your parser with
$ HILTI_DEBUG=spicy-verbose zeek ...
Before entering synchronization this will log
[...] failed to parse, will try to synchronize at ...
and once it has synchronized (this shouldn’t be reached since your %synced hook does not get invoked)
[...] successfully synchronized
We very recently fixed a bug around %synchronize-at which might have caused what you saw. This is not yet in a release, but available in the main branch of Spicy (in the Zeek tree as a submodule under auxil/spicy).
Thanks @Benjamin_Bannier. I’ll run the verbose to see if it gives me any useful information, and also look to pull in the fix made on the main branch.
@Benjamin_Bannier I ran it with verbose, and I don’t get any synchronize message at all. Right before my parsing ends, I see the following:
[spicy-verbose] suspending to wait for more input for stream 0x56272e32bd40, currently have 0
[spicy-verbose] resuming after insufficient input, now have 140864 for stream 0x56272e32bd40
In looking at the pcap I’m parsing, that is the amount of bytes it says is missing. Everything parses correctly right up until that, with no synchronize necessary.
00009454 5b 31 34 30 38 36 34 20 62 79 74 65 73 20 6d 69 [140864 bytes mi
00009464 73 73 69 6e 67 20 69 6e 20 63 61 70 74 75 72 65 ssing in capture
00009474 20 66 69 6c 65 5d 00 file].
After the spicy-verbose message no have 140864 for stream, zeek just exits. I get no more parsing or output of any kind.