DLE Stuffing

Mar 2, 2010 at 6:57 PM

Firstly, thank you for a great parser. I've been a long fan of the "competition" but the ability to write parsers with NPL is simply awesome.

I'm writing a parser for a protocol that requires DLE stuffing. It requires any field that contains the DLE (decimal 16) character to append another one.

For example:

Size (1 byte)
Payload (Size bytes)
Checksum (2 bytes) 

If Size happens to contain the value 16 decimal, then another byte with the value 16 will be "stuffed" into the packet. The same goes for the payload and checksum.
I think I can handle Size and Checksum using a switch statement - i.e. in case it's 16, consume another byte.

However, how would I handle the Payload? I would like to first "remove" all the stuffed DLEs and then parse over it again to make sense of the content. Could I use a while loop with a case statement and add it into another "array" which I can then parse?
Is this the right approach or is there another way of doing it?

Thanks in advance. 



Mar 3, 2010 at 1:39 AM
Edited Mar 3, 2010 at 1:46 AM


Glad to know that you like netmon :)

Unfortunately I don't think there is an easy way to achieve your goal. In your problem, we have several fragments to reassemble and parse. However netmon currently dosen't support reassembly in the same frame.

One way is to re-define all primitive types as structs and let them ignore the extra 0x10, and use them as your primitive types. I'm giving two examples here:

struct DLEUINT8 = FormatString("%u", Value)
    UINT8 Value;
         case Value == 0x10:
              UINT8 DLE;

struct DLEAsciiString(Length) = Property.DLEAsciiStringValue
    [Property.DLEAsciiStringValue = ""]
    [MaxLoopCount = Length]
    while [true]
        [Property.DLEAsciiStringValue = Property.DLEAsciiStringValue + FormatString("%c", Char)]
        UINT8 Char;
            case Char == 0x10:
                UINT8 DLE;

The other possible way is to write your own expert (plugin for netmon),




Mar 6, 2010 at 3:35 PM

Thanks Luther - I had a look at nmexperts but seems overkill for what I'm trying to do. Your suggested workaround will get me close enough.