Wireshark-dev: Re: [Wireshark-dev] NPL to Wireshark compiler/converter

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Sat, 21 Jul 2012 21:45:14 -0700
On Sat, Jul 21, 2012 at 6:03 PM, Richard Sharpe
<realrichardsharpe@xxxxxxxxx> wrote:
> On Sat, Jul 21, 2012 at 11:00 AM, Richard Sharpe
> <realrichardsharpe@xxxxxxxxx> wrote:
>> I have started working on an NPL to Wireshark compiler/converter ...
>>
>> At this stage all I have is an initial Flex scanner file and a simple
>> Lemon grammar and some test files. The grammar is conflict free, but
>> not necessarily complete (lacking in examples and there does not seem
>> to be a spec from Microsoft :-(). I have been working from the
>> example/s in the Microsoft document I posted a link to a few days ago
>> called "Writing a Parser from Wire to Window."
>>
>> The next steps are to:
>>
>> 1. Get the grammar working more, and in particular, generate an AST,
>> 2. Add more to the grammar
>> 3. Generate dissectors in C.
>>
>> What I have is attached for those who are curious and for feedback.
>
> I have established a github repository for this. You can do:
>
>          git clone git@xxxxxxxxxx:RichardSharpe/npl-to-wshark.git

Well, having downloaded the NPL archive from the download link here:
http://nmparsers.codeplex.com/

it is clear that this is not going to be easy :-)

For example, there is a netmon.npl that has interesting things like this:

//
// Frame that contains the active network adapter used when the
capture file was created
//
Protocol NetworkInfo = FormatString("Network info for %s, Network
Adapter Count = %d",ComputerName,AdapterCount)
{
    UINT16 AdapterCount;
    [DataFieldByteOrder = LittleEndian]
    UnicodeString ComputerName;
    [MaxLoopCount=AdapterCount, Property.NetworkAdapterInfo = "NetworkInfo"]
    while[true] {
                NetMonNetworkAdapter NetworkAdapter;
    }
}

Seems like they have a fake frame that provides info about adapters
and the one that was used for capturing. In addition, there are
pragmas in there ([DataFieldByteOrder = LittelEndian] as well as
forward references from the FormatString to the fields in the
structure. Then there is that while[true] loop and references to a
structure further down:

Struct NetMonNetworkAdapter = FormatString("%s,
%s",Property.NetworkInfoFriendlyName,Property.NetworkInfoHardwareAddr)
    {
        [DataFieldByteOrder = LittleEndian]
        [Property.NetworkInfoFriendlyName]
        UnicodeString FriendlyName;
        [DataFieldByteOrder = LittleEndian]
        UnicodeString Description;
        switch(Property.NetworkAdapterInfo)
        {

which then has a Property.NetworkAdapterInfo (although it seems that
[Property.blah] before a field declares that field to be a property,
it seems.) which refers back to the NetworkInfo structure earlier.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)