Thank you Ronka.
It is a flowunit analyzer. I checked zeek source tree and found that there is
only 1 flowunit
analyzer (tls-handshake) uses exportsourcedata directive. I guess that
exportsourcedata only
apply to non-incremental types. Maybe these are true:
- all types in a datagram analyzer can use exportsourcedata directive
- only non-incremental types in a flowunit analyzer can use exportsourcedata
But I'm not sure about what is non-incremental type, I have to check the
generated code.
The reason that I want sourcedata field is that I want to feed the whole
test_pdu to another
analyzer. Now as a workaround, I have to do something like this:
test_rpc->DeliverStream(${data}.length() + 4, ${data}.begin() - 4, is_orig);
to bring back the first 4 bytes to form the original whole PDU.
Maybe I should try datagram analyzer.
Song
------------------ Original ------------------
From: "ronka_mata"<[email protected]>;
Date: Thu, Mar 7, 2019 10:05 PM
To: "Song"<[email protected]>;
Cc: "zeek-dev"<[email protected]>;
Subject: Fwd: Re: Fwd: [Zeek-Dev] binpac crash triggered by exportsourcedata
Hi,
What might help is checking how you defined the the PDU in .pac file. If it is
datagram, mostly used for DNS type traffic or if it is flowunit. You can read
more on it here
https://github.com/zeek/binpac/blob/master/README.rst#flow
You do not need to define length for datagrams. Look at other protocols for
example of differences. Eg radius for datagrams and smb for flows.
Ronka
---------- Forwarded message ---------
From: Song <[email protected]>
Date: Thu, Mar 7, 2019, 13:40
Subject: [Zeek-Dev] binpac crash triggered by exportsourcedata
To: zeek-dev <[email protected]>
Hi,I define a PDU like below:
type test_pdu = record {
lenAB : uint32;
pduAB : test_pdu_ab(lenAB);
} &length=(lenAB + 4), &exportsourcedata; # fail to compile without &length,
&exportsourcedata will cause binpac crash
type test_pdu_ab(len: uint32) = record {
lenA : uint16;
dataA : bytestring &length = lenA;
dataB : bytestring &length = (len - 2 - lenA);} &exportsourcedata; #
&exportsourcedata here is OK
The error message is:
binpac: /home/grid/git/zeek/aux/binpac/src/pac_type.cc:857:
std::__cxx11::string Type::EvalLengthExpr(Output*, Env*):
Assertion `!incremental_input()!` failed.
Aborted (core dumped)_______________________________________________
zeek-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
