A key step in the semantic analysis of network traffic is to parse the traffic stream according to the high-level protocols it contains. This process transforms raw bytes into structured, typed, and semantically meaningful data fields that provide a high-level representation of the traffic. However, constructing protocol parsers by hand is a tedious and error-prone affair due to the complexity and sheer number of application protocols.This paper presents binpac, a declarative language and compiler designed to simplify the task of constructing robust and efficient semantic analyzers for complex network protocols. We discuss the design of the binpac language and a range of issues in generating efficient parsers from high-level specifications. We have used binpac to build several protocol parsers for the "Bro" network intrusion detection system, replacing some of its existing analyzers (handcrafted in C++), and supplementing its operation with analyzers for new protocols. We can then use Bro's powerful scripting language to express application-level analysis of network traffic in high-level terms that are both concise and expressive. binpac is now part of the open-source Bro distribution.
%0 Conference Paper
%1 1177119
%A Pang, Ruoming
%A Paxson, Vern
%A Sommer, Robin
%A Peterson, Larry
%B IMC '06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
%C New York, NY, USA
%D 2006
%I ACM
%K language parsing protocol yacc
%P 289--300
%R http://doi.acm.org/10.1145/1177080.1177119
%T binpac: a yacc for writing application protocol parsers
%U http://portal.acm.org/citation.cfm?id=1177080.1177119
%X A key step in the semantic analysis of network traffic is to parse the traffic stream according to the high-level protocols it contains. This process transforms raw bytes into structured, typed, and semantically meaningful data fields that provide a high-level representation of the traffic. However, constructing protocol parsers by hand is a tedious and error-prone affair due to the complexity and sheer number of application protocols.This paper presents binpac, a declarative language and compiler designed to simplify the task of constructing robust and efficient semantic analyzers for complex network protocols. We discuss the design of the binpac language and a range of issues in generating efficient parsers from high-level specifications. We have used binpac to build several protocol parsers for the "Bro" network intrusion detection system, replacing some of its existing analyzers (handcrafted in C++), and supplementing its operation with analyzers for new protocols. We can then use Bro's powerful scripting language to express application-level analysis of network traffic in high-level terms that are both concise and expressive. binpac is now part of the open-source Bro distribution.
%@ 1-59593-561-4
@inproceedings{1177119,
abstract = {A key step in the semantic analysis of network traffic is to parse the traffic stream according to the high-level protocols it contains. This process transforms raw bytes into structured, typed, and semantically meaningful data fields that provide a high-level representation of the traffic. However, constructing protocol parsers by hand is a tedious and error-prone affair due to the complexity and sheer number of application protocols.This paper presents binpac, a declarative language and compiler designed to simplify the task of constructing robust and efficient semantic analyzers for complex network protocols. We discuss the design of the binpac language and a range of issues in generating efficient parsers from high-level specifications. We have used binpac to build several protocol parsers for the "Bro" network intrusion detection system, replacing some of its existing analyzers (handcrafted in C++), and supplementing its operation with analyzers for new protocols. We can then use Bro's powerful scripting language to express application-level analysis of network traffic in high-level terms that are both concise and expressive. binpac is now part of the open-source Bro distribution.},
added-at = {2007-12-06T03:18:39.000+0100},
address = {New York, NY, USA},
author = {Pang, Ruoming and Paxson, Vern and Sommer, Robin and Peterson, Larry},
biburl = {https://www.bibsonomy.org/bibtex/2edc58ce5cb42a317ca89b20263aae4ad/jhammerb},
booktitle = {IMC '06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement},
description = {binpac},
doi = {http://doi.acm.org/10.1145/1177080.1177119},
interhash = {99c7196a57f5524af20f1b591cbb84a7},
intrahash = {edc58ce5cb42a317ca89b20263aae4ad},
isbn = {1-59593-561-4},
keywords = {language parsing protocol yacc},
location = {Rio de Janeriro, Brazil},
pages = {289--300},
publisher = {ACM},
timestamp = {2007-12-06T03:18:39.000+0100},
title = {binpac: a yacc for writing application protocol parsers},
url = {http://portal.acm.org/citation.cfm?id=1177080.1177119},
year = 2006
}