[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-devel
Subject: Re: [Oisf-devel] Decoding Problem [ One byte Missing ]
From: Prabhakaran Kasinathan <prabhakaran1989 () gmail ! com>
Date: 2012-08-03 8:16:11
Message-ID: CAFH0ppZD+=BEvihYB0Ek9gFwA14_qzni1hTg4a=KD=sciyPdDA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Anoop Saldanha,
Thank you!
I will look after what you have said. Yes, currently my Intention is to
detect a flooding , later with complex attacks.
Currently working on thesis writing work :(, will get back to you when i
work on it and get the problem solved.
Thanks again. !
On Fri, Aug 3, 2012 at 7:04 AM, Anoop Saldanha <anoopsaldanha@gmail.com>wrote:
> Hi Prabhakaran,
>
> On Thu, Jul 26, 2012 at 9:17 PM, Prabhakaran Kasinathan
> <prabhakaran1989@gmail.com> wrote:
> > Hi Anoop Saldanha,
> >
> > Thanks for your help. I understood the second method and it worked
> > perfectly. printf prints to console normally :). Now i have the basic
> > decoding, which gives me the src and dst address + some other data
> required
> > for time being.
> >
> > In-order to write the Detection module. Which files to Look up?
> >
> >
> > My Idea is to detect an flooding intially. Such that a signature should
> > match the src and dest address and the rate of incoming packet's.
>
> Have a look at thresholding - detect-engine-threshold.[ch].
>
> What are you planning to implement in detection? If it's the flooding
> thing, I doubt you'd have to write anything new as such in detection,
> since most of the infrastructure's already in place.
>
> >
> > Could you give me a high level overview of where to start and look after
> > could be very helpful :)
> >
> > Thank you!.
> >
> >
> > On Wed, Jul 25, 2012 at 6:37 PM, Anoop Saldanha <anoopsaldanha@gmail.com
> >
> > wrote:
> > >
> > > On Wed, Jul 25, 2012 at 4:48 PM, Prabhakaran Kasinathan
> > > <prabhakaran1989@gmail.com> wrote:
> > > > Dear Developer's,
> > > >
> > > > I have been working in decoding the IEEE802154 packets and 6LoWPAN
> > > > packets.
> > > > It took some time to understand the decoding functionality. Pls Help!
> > > >
> > > > Now my problem is,
> > > >
> > > > One byte is missing when i try to separate the structure like (
> uint16_t
> > > > ,
> > > > uint8_t,here next 8 bit is missing, uint16_t ...) it jumps to the next
> > > > 16
> > > > bit and next 16 bit and soo on! What is the problem here?
> > > >
> > > > whereas it works correctly either if i use ( uint16_t , uint8_t
> > > > ,uint8_t,uint16_t ,uint16_t , and so.... ) or ( uint16_t ,uint16_t
> > > > ,uint16_t
> > > > ,uint16_t , ... ) . I couldn't understand this.
> > > >
> > > > Details :
> > > >
> > > > The current Header of IEEE802154 packet.
> > > >
> > > > octects 2 1 2 2 2
> > > > > FCF | Seq no | Dst Pan | Dst Add | Src Add | remaining data
> > > >
> > > >
> > > > Hex : 61 88 d9 22 00 01 00 64 00 e0 ... Data... [ the byte 22
> is
> > > > missing when i print the hole order ]
> > > >
> > > > My Structure Declarations
> > > >
> > > > typedef struct Ieee802154Hdr_ {
> > > > uint16_t ieee802154_fcf;
> > > > uint8_t ieee802154_seq;
> > > > uint16_t ieee802154_dstpan;
> > > > uint16_t ieee802154_dstadd;
> > > > uint16_t ieee802154_srcadd;
> > > > } Ieee802154Hdr;
> > > >
> > > > SCLogInfo("\n Length %d ieee FCF: %x | ieee seq %x | DstPan
> %04x |
> > > > Dstadd %04X | SrcAdd
> > > >
> > > >
> %04x",len,ntohs(p->ieeeh->ieee802154_fcf),ntohs(p->ieeeh->ieee802154_seq),ntohs(p->i \
> eeeh->ieee802154_dstpan),ntohs(p->ieeeh->ieee802154_dstadd),ntohs(p->ieeeh->ieee802154_srcadd));
>
> > > >
> > > >
> > > > Output is:
> > > >
> > > > Length 26 ieee FCF: 6188 | ieee seq d9 | DstPan 0001 | Dstadd 0064 |
> > > > SrcAdd 00e0
> > > >
> > > > it
> > > > should
> > > > be 0022 0001 0064
> > > >
> > > > Note: If I use the (uint16_t) continuously, I get the bytes correctly.
> > > > How
> > > > to overcome this problem.
> > > >
> > >
> > > This is a gcc alignment issue. Can't think of any portable solutions as
> > > such.
> > >
> > > One way would be use a uint8_t array to point to the packet byte
> > > array, and use macros to dereference the various fields from this
> > > array.
> > >
> > > #DEFINE GET_IEEE802145_DSTPAN(array) (*((uint16_t *)((uint8_t *)array +
> > > 3))
> > >
> > > --
> > >
> > > Another solution would be to define the struct as
> > >
> > > {
> > > uint16_t a;
> > > uint8_t b;
> > > uint8_t c1;
> > > uint8_t c2;
> > > ...
> > > }
> > >
> > > So c1 + c2 in your case would be ieee802154_dstpan. You can hide the
> > > retrieval of the value from c1 + c2 using some macros.
> > >
> > > Let me know if you have a better solution.
> > >
> > > > Question 2:
> > > >
> > > > How to use the SCLogDebug and Printf lines to get printed in console?
> > > > Since
> > > > I couldn't find that. I started using SCLogInfo to print and debug the
> > > > error's.
> > > >
> > > > --
> > > > Best Regards,
> > > > Prabhakaran Kasinathan
> > > > +39 3279720502
> > > >
> > > >
> > > > _______________________________________________
> > > > Oisf-devel mailing list
> > > > Oisf-devel@openinfosecfoundation.org
> > > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> > >
> > > doesn't printf print to the console? SCLogDebug needs --enable-debug
> > > while configuring and requires you to set the log-level in the conf
> > > to debug.
> > >
> > > --
> > > Anoop Saldanha
> >
> >
> >
> >
> > --
> > Best Regards,
> > Prabhakaran Kasinathan
> > +39 3279720502
> >
>
>
>
> --
> Anoop Saldanha
>
--
Best Regards,
Prabhakaran Kasinathan
+39 3279720502
[Attachment #5 (text/html)]
<div class="gmail_quote">Hi Anoop Saldanha,</div><div \
class="gmail_quote"><br></div><div class="gmail_quote">Thank you!</div><div \
class="gmail_quote"><br></div><div class="gmail_quote">I will look after what you \
have said. Yes, currently my Intention is to detect a flooding , later with complex \
attacks.</div>
<div class="gmail_quote"><br></div><div class="gmail_quote">Currently working on \
thesis writing work :(, will get back to you when i work on it and get the problem \
solved. </div><div class="gmail_quote"><br></div><div class="gmail_quote">
Thanks again. !</div><br><div class="gmail_quote">On Fri, Aug 3, 2012 at 7:04 AM, \
Anoop Saldanha <span dir="ltr"><<a href="mailto:anoopsaldanha@gmail.com" \
target="_blank">anoopsaldanha@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Hi Prabhakaran,<br> <div class="im"><br>
On Thu, Jul 26, 2012 at 9:17 PM, Prabhakaran Kasinathan<br>
<<a href="mailto:prabhakaran1989@gmail.com">prabhakaran1989@gmail.com</a>> \
wrote:<br> > Hi Anoop Saldanha,<br>
><br>
> Thanks for your help. I understood the second method and it worked<br>
> perfectly. printf prints to console normally :). Now i have the basic<br>
> decoding, which gives me the src and dst address + some other data required<br>
> for time being.<br>
><br>
> In-order to write the Detection module. Which files to Look up?<br>
><br>
><br>
> My Idea is to detect an flooding intially. Such that a signature should<br>
> match the src and dest address and the rate of incoming packet's.<br>
<br>
</div>Have a look at thresholding - detect-engine-threshold.[ch].<br>
<br>
What are you planning to implement in detection? If it's the flooding<br>
thing, I doubt you'd have to write anything new as such in detection,<br>
since most of the infrastructure's already in place.<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
> Could you give me a high level overview of where to start and look after<br>
> could be very helpful :)<br>
><br>
> Thank you!.<br>
><br>
><br>
> On Wed, Jul 25, 2012 at 6:37 PM, Anoop Saldanha <<a \
href="mailto:anoopsaldanha@gmail.com">anoopsaldanha@gmail.com</a>><br> > \
wrote:<br> >><br>
>> On Wed, Jul 25, 2012 at 4:48 PM, Prabhakaran Kasinathan<br>
>> <<a href="mailto:prabhakaran1989@gmail.com">prabhakaran1989@gmail.com</a>> \
wrote:<br> >> > Dear Developer's,<br>
>> ><br>
>> > I have been working in decoding the IEEE802154 packets and 6LoWPAN<br>
>> > packets.<br>
>> > It took some time to understand the decoding functionality. Pls \
Help!<br> >> ><br>
>> > Now my problem is,<br>
>> ><br>
>> > One byte is missing when i try to separate the structure like ( \
uint16_t<br> >> > ,<br>
>> > uint8_t,here next 8 bit is missing, uint16_t ...) it jumps to the \
next<br> >> > 16<br>
>> > bit and next 16 bit and soo on! What is the problem here?<br>
>> ><br>
>> > whereas it works correctly either if i use ( uint16_t , uint8_t<br>
>> > ,uint8_t,uint16_t ,uint16_t , and so.... ) or ( uint16_t ,uint16_t<br>
>> > ,uint16_t<br>
>> > ,uint16_t , ... ) . I couldn't understand this.<br>
>> ><br>
>> > Details :<br>
>> ><br>
>> > The current Header of IEEE802154 packet.<br>
>> ><br>
>> > octects 2 1 2 2 2<br>
>> > | FCF | Seq no | Dst Pan | Dst Add | Src Add | remaining data<br>
>> ><br>
>> ><br>
>> > Hex : 61 88 d9 22 00 01 00 64 00 e0 ... Data... [ the byte 22 \
is<br> >> > missing when i print the hole order ]<br>
>> ><br>
>> > My Structure Declarations<br>
>> ><br>
>> > typedef struct Ieee802154Hdr_ {<br>
>> > uint16_t ieee802154_fcf;<br>
>> > uint8_t ieee802154_seq;<br>
>> > uint16_t ieee802154_dstpan;<br>
>> > uint16_t ieee802154_dstadd;<br>
>> > uint16_t ieee802154_srcadd;<br>
>> > } Ieee802154Hdr;<br>
>> ><br>
>> > SCLogInfo("\n Length %d ieee FCF: %x | ieee seq %x | DstPan \
%04x |<br> >> > Dstadd %04X | SrcAdd<br>
>> ><br>
>> > %04x",len,ntohs(p->ieeeh->ieee802154_fcf),ntohs(p->ieeeh-& \
gt;ieee802154_seq),ntohs(p->ieeeh->ieee802154_dstpan),ntohs(p->ieeeh->ieee802154_dstadd),ntohs(p->ieeeh->ieee802154_srcadd));<br>
>> ><br>
>> ><br>
>> > Output is:<br>
>> ><br>
>> > Length 26 ieee FCF: 6188 | ieee seq d9 | DstPan 0001 | Dstadd 0064 \
|<br> >> > SrcAdd 00e0<br>
>> ><br>
>> > it<br>
>> > should<br>
>> > be 0022 0001 0064<br>
>> ><br>
>> > Note: If I use the (uint16_t) continuously, I get the bytes \
correctly.<br> >> > How<br>
>> > to overcome this problem.<br>
>> ><br>
>><br>
>> This is a gcc alignment issue. Can't think of any portable solutions \
as<br> >> such.<br>
>><br>
>> One way would be use a uint8_t array to point to the packet byte<br>
>> array, and use macros to dereference the various fields from this<br>
>> array.<br>
>><br>
>> #DEFINE GET_IEEE802145_DSTPAN(array) (*((uint16_t *)((uint8_t *)array +<br>
>> 3))<br>
>><br>
>> --<br>
>><br>
>> Another solution would be to define the struct as<br>
>><br>
>> {<br>
>> uint16_t a;<br>
>> uint8_t b;<br>
>> uint8_t c1;<br>
>> uint8_t c2;<br>
>> ...<br>
>> }<br>
>><br>
>> So c1 + c2 in your case would be ieee802154_dstpan. You can hide the<br>
>> retrieval of the value from c1 + c2 using some macros.<br>
>><br>
>> Let me know if you have a better solution.<br>
>><br>
>> > Question 2:<br>
>> ><br>
>> > How to use the SCLogDebug and Printf lines to get printed in \
console?<br> >> > Since<br>
>> > I couldn't find that. I started using SCLogInfo to print and debug \
the<br> >> > error's.<br>
>> ><br>
>> > --<br>
>> > Best Regards,<br>
>> > Prabhakaran Kasinathan<br>
>> > +39 3279720502<br>
>> ><br>
>> ><br>
>> > _______________________________________________<br>
>> > Oisf-devel mailing list<br>
>> > <a href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a><br>
>> > <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" \
target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
>><br>
>> doesn't printf print to the console? SCLogDebug needs \
--enable-debug<br> >> while configuring and requires you to set the log-level \
in the conf<br> >> to debug.<br>
>><br>
>> --<br>
>> Anoop Saldanha<br>
><br>
><br>
><br>
><br>
> --<br>
> Best Regards,<br>
> Prabhakaran Kasinathan<br>
> <a href="tel:%2B39%203279720502" value="+393279720502">+39 3279720502</a><br>
><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Anoop Saldanha<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>Best \
Regards,<br>Prabhakaran Kasinathan<br>+39 3279720502<br><br>
_______________________________________________
Oisf-devel mailing list
Oisf-devel@openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic