Triggering events on incomplete PDUs

Hi,

I am implementing a simple protocol analyzer for DLMS (smart metering protocol), and I am trying to understand how the events are triggered.

Basically, I am interested in the first few bytes of the PDU, which identify the types of requests/responses (e.g.: read, write, authentication, etc). I implemented an analyzer for these bytes based on the other protocols available, and I am able to trigger some events with the values I need when parsing an example file.

However, the event only seem to be triggered when the full PDU is avaliable. This is a big problem because the snaplen used for the capture was quite small, thus most of the PDUs are incomplete.

My question is: Is there is a way that I can force an event to be triggered as soon as the first few bytes are available?

Best,

Hi,

I realize that I might not have included enough details. Attached I am sending the dlms-protocol.pac and dlms-analyzer.pac I created to process DLMS traffic.

My current goal is to extract the fields on the wrapper (DLMS_Wrapper) even when the message body (DLMS_Request/DLMS_Reply) is not complete in the captured traffic. As is, all events I defined are only triggered when a full PDU is present.

I could not find any information on how to trigger events on incomplete PDUs on the bro website or mailing list, so any help is welcome.

I can also send the other files in my DLMS analyzer, and generate an example pcap file for testing, if necessary.

Thanks,

Rafael

dlms-analyzer.pac (2.45 KB)

dlms-protocol.pac (771 Bytes)