It's only particular object types and especially those in the *request* that I'm referring to. I do see response objects fine. I wish I had better pcaps to share, but I'm having trouble finding those myself. :)
I have attached one I found on the web which, according to wireshark, has a single write of object type 50, variation 01. It produces these events: header_block, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1, resp_p=20000/tcp, vlan=0, inner_vlan=0], T, Start, 25605, Len, 18, Ctrl, 196, Dst, 3, Src, 4 application_request_header, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1, resp_p=20000/tcp, vlan=0, inner_vlan=0], T, App, 193, FC, 2 object_header, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1, resp_p=20000/tcp, vlan=0, inner_vlan=0], T, OT, 12801, Qua, 7, Num, 1, RF, 1, 0 object_prefix, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1, resp_p=20000/tcp, vlan=0, inner_vlan=0], T, PREF, 0 (Mnemonics included except for the first two fields which are always c$id and is_orig.) but there's no event giving the content of that object type. I'm not getting any error messages, but just in looking at the .pac files in the dnp3 directory, I see the code apparently parsing all the unique types below, but it doesn't seem to be generating events for any of them. At least some of those *do* seem to have had events generated for them in that dnp3-events branch code. AnaOutStatus32 AnaOutStatus16 AnaOutStatusSP AnaOutStatusDP AnaOut32 AnaOut16 AnaOutSP AnaOutDP AnaOutEve32woTime AnaOutEve16woTime AnaOutEve32wTime AnaOutEve16wTime AnaOutEveSPwoTime AnaOutEveDPwoTime AnaOutEveSPwTime AnaOutEveDPwTime Thanks. On Tue, Feb 9, 2016 at 4:49 PM, Hui Lin (Hugo) <[email protected]> wrote: > Hi Jeff, > > I think the master branch should contain what we wrote before. I run some > simple DNP3 test cases included in Bro from master branch and I do see the > simple print out message. > > Does running your pcap generate any error message? Do you mind sharing the > trace that you are using for me to take a look at what is going on? > > Best, > > Hui Lin > > On Tue, Feb 9, 2016 at 3:04 PM, Jeff Barber <[email protected]> wrote: > >> Hi >> >> I'm trying to use bro for decoding DNP3 traffic and following the logic >> through its parser to the various dnp3_xxx events. (The documentation on >> how to use the DNP3 events is a bit light but I think I understand what's >> happening.) When I try to follow the request objects logic (e.g. as you >> might get from a DNP3 write command), I can't see how they're getting >> output to the bro script layer at all. Most of them seem to simply dead-end >> in the parser with no event generated. >> >> I spent a little while looking through the bro branches and came across a >> branch called topics/hui/dnp3-events that _seems_ to have support for a >> bunch of additional objects. It was last worked on in February 2014 but I >> can't find any hint of it in the master branch. >> >> Just wondering if anyone can clarify. Am I misunderstanding how it works? >> Or did the code in dnp3-events branch get lost? Or was it never merged? Or >> never completed? >> >> Thanks! >> >> Addressing to Hui Lin but also including bro-dev in case someone else >> knows the history. >> >> > > > -- > Hui Lin > PhD Candidate (http://hlin33.web.engr.illinois.edu/) > DEPEND (http://depend.csl.illinois.edu/) > ECE, Uni. of Illinois at Urbana-Champaign > >
DNP3-Write.pcap
Description: Binary data
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
