Aaron,
>> I have a protocol that loads a given TCP packet with as many publish
>> messages as possible in a worst case scenario - often it just has a
>> single message, but it is not guaranteed. When a publish message
>> contains more than one subsequent message, there is not an indicator
>> that another message follows.
Perhaps try something like this:
type SPROTO_messages = SPROTO_message[]
&until($input.length() == 0); # or some appropriate terminating condition
Type SPROTO_message = record {
thdr : uint8;
hdrlen : uint8;
variable_header : case msg_type of {
SPROTO_CONNECT -> connect_packet : SPROTO_connect(hdrlen);
SPROTO_SUBSCRIBE -> subscribe_packet : SPROTO_subscribe(hdrlen);
SPROTO_SUBACK -> suback_packet : SPROTO_suback(hdrlen);
SPROTO_PUBLISH -> publish_packet : SPROTO_publish(hdrlen);
SPROTO_UNSUBSCRIBE -> unsubscribe_packet : SPROTO_unsubscribe(hdrlen);
default -> none : empty;
};
} &let {
msg_type : uint8 = (thdr >> 4);
};
Mark
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
