On 5/31/07, jmzhou.ml(a)gmail.com <jmzhou.ml(a)gmail.com> wrote:
Yes, the changes work well at my side.
Some problems of binpac:
. Split binpac out of bro source tree.
That's actually happening. Please stay tuned. Also, if you have
recommendation on a fast regexp library with BSD-like license, please
let me know. Note that we do not need perl-like captures, but only the
I think to make binpac standalone
makes testing/developing much easier. One can develop new analyzers and
test them with dedicated .pcap files.
I agree likewise. In fact, one way to significantly improve testing in
binpac is to make a (proof-of-concept) script when an issue arises.
Such as in this case... By keeping this scripts around we can make
sure that old problems do not surface again.
. Binpac does not support SunRPC over TCP now. There
are four extra bytes
prepended in RPC packets. Either TCP layer decoder should take care of
these extra bytes, or the RPC decoder has to do something with it. In
addition, &exportsourcedata is used in RPC/UDP decoder based on datagram
mode. It is not supported by flowunit mode. This means, we cannot simply
change the decoder from datagram mode to flowunit mode for RPC/TCP.
The way I imagine doing this is to consider RPC on TCP a trivial
lower-level protocol than RPC on UDP. For each RPC-on-TCP message, the
analyzer calls the datagram mode RPC analyzer's NewData() routine.
What do you think?
Finally, a Ref call is missing in the NewCall function
when a call already
exists, and a Unref call is not correctly called in FinishCall.
This is a good point. Thanks for pointing it out!