Re: NPL to Wireshark compiler/converter

[Richard Sharpe <realrichardsharpe () gmail com>]

On Sat, Jul 21, 2012 at 6:03 PM, Richard Sharpe
<realrichardsharpe () gmail com> wrote:
> On Sat, Jul 21, 2012 at 11:00 AM, Richard Sharpe
> <realrichardsharpe () gmail com> wrote:
> > I have started working on an NPL to Wireshark compiler/converter ...
> >
> > At this stage all I have is an initial Flex scanner file and a simple
> > Lemon grammar and some test files. The grammar is conflict free, but
> > not necessarily complete (lacking in examples and there does not seem
> > to be a spec from Microsoft :-(). I have been working from the
> > example/s in the Microsoft document I posted a link to a few days ago
> > called "Writing a Parser from Wire to Window."
> >
> > The next steps are to:
> >
> > 1. Get the grammar working more, and in particular, generate an AST,
> > 2. Add more to the grammar
> > 3. Generate dissectors in C.
> >
> > What I have is attached for those who are curious and for feedback.
>
> I have established a github repository for this. You can do:
>
>          git clone git () github com:RichardSharpe/npl-to-wshark.git

Well, having downloaded the NPL archive from the download link here:
http://nmparsers.codeplex.com/

it is clear that this is not going to be easy :-)

For example, there is a netmon.npl that has interesting things like this:

//
// Frame that contains the active network adapter used when the
capture file was created
//
Protocol NetworkInfo = FormatString("Network info for %s, Network
Adapter Count = %d",ComputerName,AdapterCount)
{
    UINT16 AdapterCount;
    [DataFieldByteOrder = LittleEndian]
    UnicodeString ComputerName;
    [MaxLoopCount=AdapterCount, Property.NetworkAdapterInfo = "NetworkInfo"]
    while[true] {
                NetMonNetworkAdapter NetworkAdapter;
    }
}

Seems like they have a fake frame that provides info about adapters
and the one that was used for capturing. In addition, there are
pragmas in there ([DataFieldByteOrder = LittelEndian] as well as
forward references from the FormatString to the fields in the
structure. Then there is that while[true] loop and references to a
structure further down:

Struct NetMonNetworkAdapter = FormatString("%s,
%s",Property.NetworkInfoFriendlyName,Property.NetworkInfoHardwareAddr)
    {
        [DataFieldByteOrder = LittleEndian]
        [Property.NetworkInfoFriendlyName]
        UnicodeString FriendlyName;
        [DataFieldByteOrder = LittleEndian]
        UnicodeString Description;
        switch(Property.NetworkAdapterInfo)
        {

which then has a Property.NetworkAdapterInfo (although it seems that
[Property.blah] before a field declares that field to be a property,
it seems.) which refers back to the NetworkInfo structure earlier.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe