String ending in \r\n

0 votes
asked Aug 17, 2016 in Grammars by mcegielka (120 points)
Hello!

I've tried to analyze capture file from http response and I'm wondering if it's possible to add to grammar strings ending in \r\n or "0D0A" characters. When I try to use delimited string ofcourse I can't type these characters and using hex codes doesn't work either. So is it possible or maybe I should use another method to do this?

Best regards!

Mariusz Cegiełka

1 Answer

0 votes
answered Aug 17, 2016 by andreas (2,180 points)

Hi Mariusz,

actually 0D0A should work as a delimiter for strings -- of course only if sent by a Windows machine.

Probably it would be better to write a small "custom data type" like the ones on https://www.synalysis.net/scripts.html or a Script element that adds a new parsing result for each line.

Please send me a sample file and the grammar you created so far if this doesn't work as expected.

Best Regards,

Andreas

Synalysis

https://twitter.com/synalysis

https://www.facebook.com/Synalysis/

commented Aug 18, 2016 by mcegielka (120 points)
Hi, and thanks for reply. I've placed grammar and data files in shared Dropbox folder: https://www.dropbox.com/sh/2lp5ej2otxea5sp/AACLXTuRuFYCwmvppiMX-Ve1a?dl=0

Whatever I do, the whole data is counted as one line. Also, HTTP header consists of multiple lines ended by empty line and header length is not known beforehand, is it possible to automatically parse header lines until end of header without scripting?

In fact I'm more interested in rest of captured data, HTTP header makes it a bit simpler for me to describe problem. Most of binary data consists of chunks that seem to have one byte length on start, but sometimes this is off by one or two bytes, so I would prefer to parse each chunk until delimiter ("Z", 0x5A).

Best regards,
Mariusz Cegiełka
...