Posts made by Vladimir

No worries; I'm happy to hear that the issue is resolved now!

If you tried the Latin-1 and still saw unexpected coloring, it could have been the case sensitivity issue -- this has caught me off guard a few times as well.

Regarding why we use UTF-8 in regex by default. UTF-8 is the default encoding across IO Ninja (log engine, terminal, transmit pane, etc). So it makes sense to use UTF-8 in regex for the sake of consistency. But here we have a dilemma. If the regex engine uses UTF-8 by default, then individual bytes could be uncolored -- RE2 could treat them as part of a UTF-8 sequence. If, on the other hand, we use Latin-1 by default, then multi-byte Unicode characters could be uncolored.

I guess we could try to be smarter and automatically choose Latin-1 or UTF-8 based on the pattern (i.e., force Latin-1 when the pattern contains \xHH, force UTF-8 when the pattern contains multi-byte Unicode characters). Forcing the encoding is not a good thing, though. Maybe have an "Auto" option or something like that.

If you encounter anything else, please let me know. Your feedback over the years has been invaluable—thank you so much!

Also, regarding this:

and, in a weird case, a value (0x77) colorize two bytes (0x77 and 0x57)

This is actually fine. "Case sensitive" is set to OFF, so 0x77 (W) and 0x57 (w) both match.

Hello Josep,

You have to set "Force Latin-1 encoding" when you are colorizing raw byte sequences. Otherwise, RE2 will try to decode UTF-8, and this yields unexpected results when the data stream (or the pattern) contains invalid UTF-8 sequences -- which is a common thing in raw IO streams.

As a matter of fact, I think we should change the default behaviour -- i.e., use Latin-1 by default and only UTF-8-decode when explicitly asked for.

Currently, there's no built-in UI feature for that. However, it's a totally legit feature request (and is quite easy to implement). We could add it to one of the upcoming releases.

At the moment, what can be done instead is a simple plugin to expand ALL records:

class AutoExpandFilterLayer:
	doc.Layer,
	log.FoldingFilter {

	ui.BoolProperty* m_expandProp;

	construct(doc.PluginHost* pluginHost) {
		basetype.construct(pluginHost);
		m_expandProp = pluginHost.m_propertyGrid.createBoolProperty("Expand all records");
		pluginHost.m_log.addFoldingFilter(this);
	}

	override void restoreDefaultProperties() {
		m_expandProp.m_value = true;
	}

	override uint8_t filter(
		uint64_t timestamp,
		uint64_t recordCode,
		void const* p,
		size_t size
	) {
		return m_expandProp.m_value ? log.FoldFlags.ExpandAll : 0;
	}
}

Here's an archive with the full plugin:

AutoExpand.7z

After attaching it, all the new foldable records will be expanded by default. You can check/uncheck the "Expand all" property and rebuild the log to expand or collapse all foldable records.

Hope this helps!

This script only generates packet contents and passes the raw data to the underlying session for transmission -- so it will work with any transport. If you need to send those packets over UDP, open the "UDP Socket" plugin, configure remote IP:Port accordingly, then run the script:

Here's a script that will open a CSV file, parse it line by line, then prepare and transmit binary packets for each line:

import "io_base.jncx"
import "io_MappedFile.jnc"

enum: uint64_t {
	// epoch difference (in seconds) between Unix time (1 Jan 1970 00:00) and Windows time (1 Jan. 1601 00:00)
	UnixTimeEpochDiff = 11644473600,

	// delay between packets (in milliseconds)
	InterPacketDelay  = 500, 
}

// the structure of the packet

pragma(Alignment, 1)

struct Packet {
	uint8_t m_optionsByte             = 0x83;
	uint8_t m_mobileIdLength          = 0x08;
	bigendian uint64_t m_mobileId;
	uint8_t m_mobileIdTypeLen         = 0x01;
	uint8_t m_mobileIdType            = 0x02;
	uint8_t m_serviceType             = 0x01;
	uint8_t m_messageType             = 0x02;
	bigendian uint16_t m_sequenceIdx;
	bigendian uint32_t m_updateTime;
	bigendian uint32_t m_timeOfFix;
	bigendian uint32_t m_latitude;
	bigendian uint32_t m_longitude;
	bigendian uint32_t m_altitude;
	bigendian uint32_t m_speed;
	bigendian uint16_t m_heading;
	uint8_t m_satellites              = 0x0B;
	uint8_t m_fixStatus               = 0x02;
	bigendian uint16_t m_carrier      = 0x0004;
	bigendian uint16_t m_rssi         = 0xFFBF;
	uint8_t m_commState               = 0x0F;
	uint8_t m_hdop                    = 0x09;
	uint8_t m_inputs;
	uint8_t m_unitStatus              = 0x01;
	uint8_t m_eventIndex              = 0x04;
	uint8_t m_eventCode               = 0xA8;
	uint8_t m_accums                  = 0x06;
	uint8_t m_spare                   = 0x00;
	bigendian uint32_t m_accum0       = 0x00000000;
	bigendian uint32_t m_accum1       = 0x00000000;
	bigendian uint32_t m_accum2       = 0x10600000;
	bigendian uint32_t m_accum3       = 0x001A35DF;
	bigendian uint32_t m_accum4       = 0x02C80269;
	bigendian uint32_t m_accum5       = 0x62347EF0;
	char m_lf                         = '\n';
}

char const* findEol(
	char const* p,
	char const* eof
) {
	char const* eol = memchr(p, '\n', eof - p);
	return eol ? eol + 1 : eof;
}

void main() {
	connect();

	string_t fileName = io.getHomeDir() + "/history.csv"; // adjust accordingly
	io.MappedFile file;
	file.open(fileName, io.FileOpenFlags.ReadOnly);

	size_t size = file.m_size;
	char const* p = file.view(0, size);
	char const* eof = p + size;
	size_t index = 0;

	Packet packet; // all const fields are initialized; we'll adjust variable fields below

	p = findEol(p, eof); // skip the first line
	while (p < eof) { // process the rest line by line	
		char const* eol = findEol(p, eof);
		string_t line(p, eol - p);
		p = eol;
		
		if (line !~ r"\s*([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)")
			continue; // skip all CSV lines that do not match the pattern

		// Jancy uses Windows timestamps (in 100-nsec intervals, i.e. sec / 10^7)
		uint_t unixTime = sys.getTimestamp() / 10000000 - UnixTimeEpochDiff;		

		// adjust all the variable fields in the packet
		packet.m_mobileId = strtoul($1,, 16);
		packet.m_sequenceIdx = index++;
		packet.m_updateTime = unixTime;
		packet.m_timeOfFix = unixTime;
		packet.m_latitude = (uint_t)(atof($3) * 10000000);
		packet.m_longitude = (uint_t)(atof($4) * 10000000);
		packet.m_altitude = (uint_t)(atof($5) * 100);
		packet.m_speed = (uint_t)(atof($6) * 100);
		packet.m_heading = strtoul($7);
		packet.m_inputs = strtoul($8);

		// transmit, wait and move on to the next line
		transmit(&packet, sizeof(packet));
		sys.sleep(InterPacketDelay); 
	}
}

Unlike the original PHP sample I received from you, I didn't generate a HEX string first -- in Jancy, it's much cleaner (and more efficient, of course) to generate binary data right away. First, we declare the Packet struct according to your specification and initialize all constant fields; then, we walk over the file line by line and adjust fields that depend on the CSV data.

Feel free to ask any questions regarding the script.

Confirmed. There's a regression in the Ethernet Tap plugin on Linux builds that somehow got under the radar during routine pre-release testing; will be fixed in the very next release.

Workarounds:

1. use ioninja-hwc to capture to .pcap from command line:

$ ./ioninja-hwc --ethernet-tap --pcap --out=my-capture.pcap

2. use the previous release of ioninja: https://tibbo.com/downloads/archive/ioninja/ioninja-5.5.1/

3. if that's possible in your case, use the windows or macos builds of the latest ioninja-5.6.0 (the regression only affects Linux builds).

Also, is it mandatory to be root, or is there a way to allow a user to open the Ethernet tap ?

You can add a UDEV rule to assign less restrictive permissions to USB devices based on VID/PID:

https://ioninja.com/doc/kb/linux_usb_permissions.html

For the Ethernet Tap, use these parameters:

SUBSYSTEM=="usb", ATTR{idVendor}=="326f", ATTR{idProduct}=="0003", MODE="0666", SYMLINK="ethernet-tap"

@apie-llc

I can see Serial Tap under Device Manager USB controllers-> IO Ninja Serial Tap, location Port_#0001.Hub_#0003
When I start a new session for ModBus Analyzer, the port list just empty.

Which session are you running? I mean, Modbus Analyzer is a layer plugin that's attached on top of some other session that provides raw data. I assume, you want to capture data via a Serial Tap -- then you have to start a Serial Tap session first:

Then you can attach Modbus Analyzer on top so that it decodes Modbus commands & replies for you.

The devmon is installed and works properly as in the KB section

devmon is for capturing local traffic generated by other apps on the same PC; it's not required for a Serial Tap.

If you have another application doing Modbus communications, you can start a Serial Monitor session (this plugin uses devmon) and see what this other app sends and receives. Then you can attach a Modbus layer on top to parse raw data and decode Modbus packets.

@jose-marro

I was thinking of using it for parsing and generating frames (IEC60870-5-103 frames)...

For parsing frames, dylayout would be a perfect tool.

For generating frames programmatically, dynamic layouts won't add much extra convenience (and dyfields are currently all const anyway).

But! One thing I didn't mention above is that dynamic layouts are also perfect for creating packet templates!

After defining a dynamic layout "specification" for a protocol, you will be able to conveniently build packets for this protocol in the Property Grid on the Hex Transmit pane in IO Ninja. Set enumeration fields via drop-down lists, set bits in bitfields with check-boxes, have big-endian automatically converted for you, etc. If a protocol uses checksums, you can define methods for automatic calculation of those checksums before transmission.

All in all, it's an awesome tool for generating and sending out test packets! If you didn't see it, please check it out -- it could be just what you are looking for.

A short follow-up after thinking more about q1.

In my previous write-up, I used the word "packets" when talking about binary blobs that dynamic layouts work with. But of course, those could be any binary objects — disk files, disks themselves, shared memory, etc.

Indeed, with packets, we usually generate the whole thing from scratch—and using dynamic layouts here doesn't offer much.

But if we think about objects like files or disks, it makes perfect sense to allow modification alongside parsing. Something like (1) locate a specific field inside a file, (2) modify this field, (3) proceed to the next one.

So yeah, I think we should remove the forced const on dyfield declarations. We still need to somehow preserve const-correctness for the parse-only cases, though.

One way would be to introduce an auxiliary class jnc.MutableDynamicLayout, which would take non-const pointers; when the dylayout argument is jnc.MutableDynamicLayout, the Jancy compiler won't add implicit const to dyfield declarations.

Thoughts?

P.S. Moved the topic to General Discussion

Hello Josep,

Happy to see you are trying to play with the new Jancy feature! Indeed, dynamic layouts are replacing dynamic structs -- which never were utilized in IO Ninja (as they were way too limited for practical use).

With this new approach, it's possible to describe pretty much any protocol or protocol stack. Please check the release announcement; there, I outlined the main problems that dynamic layouts really help with, which boils down to this:

• auto-buffering (with pause-and-resume!)
• auto-advancing the "current" pointer as we declare fields
• auto-saving of all discovered fields

To answer your questions:

q1. is it possible to assign a value to a "dyfield"?

TLDR: currently, no. In theory, yes, but that (probably) would be a misuse.

The main motivation for dynamic layouts was a simplification of binary packet parsing. Therefore, jnc.DynamicLayout expects a read-only void const* as a buffer pointer, and the Jancy compiler adds an implicit const to all fields to reinforce that.

In theory, it's possible to remove this limitation and allow passing non-const buffers to the dylayout statement (thus allowing modification of dyfield items). That shouldn't really break anything, but dynamic layouts won't really provide many benefits for the generation of packets (as opposed to parsing). The difference is that when we generate a packet, we outright know what has to be in the packet. So why not take a std.Buffer and append all the necessary blocks one by one?

q2. is it possible to access to the "DynamicLayout" elements outside of the dylayout section?

TLDR: yes and no (can enumerate all the fields, but can't reference a particular one by name or index).

Things like layout.myChar are not possible, even in theory. What if there's the branch where myChar is defined was simply skipped? Worse yet, what if myChar's type depends on the branch, like:

dylayout (layout) {
	dyfield uint8_t bitness;
	switch (bitness) {
	case 8:
		dyfield uint8_t myChar;
		break;

	case 16:
		dyfield uint16_t myChar;
		break;

	case 32:
		dyfield uint32_t myChar;
		break;

	case 64:
		dyfield uint64_t myChar;
		break;
	}
}

On the other hand, you can iterate over all the discovered fields after exiting from dylayout -- that's what IO Ninja does to represent packets in the log. To do so, you pass jnc.DynamicLayoutMode.Save to the jnc.DynamicLayout constructor and then recursively walk over sections of jnc.DynamicLayout.

Here's a rather lengthy but realistic example. To run it, simply glue all 3 code snippets below together.

First, let's define the protocol structures:

pragma(Alignment, 1);

struct EthernetHdr {
	uint8_t m_dstMac[6];
	uint8_t m_srcMac[6];
	bigendian uint16_t m_etherType;
}

struct IpHdr {
	uint8_t m_headerLength : 4;
	uint8_t m_version      : 4;
	uint8_t m_typeOfService;
	bigendian uint16_t m_totalLength;
	bigendian uint16_t m_identification;
	bigendian uint16_t m_flags          : 3;
	bigendian uint16_t m_fragmentOffset : 13;
	uint8_t m_timeToLive;
	uint8_t m_protocol;
	bigendian uint16_t m_headerChecksum;
	bigendian uint32_t m_srcAddress;
	bigendian uint32_t m_dstAddress;
}

struct TcpHdr {
	bigendian uint16_t m_srcPort;
	bigendian uint16_t m_dstPort;
	bigendian uint32_t m_seqNumber;
	bigendian uint32_t m_ackNumber;
	uint8_t m_reserved   : 4;
	uint8_t m_dataOffset : 4;
	uint8_t m_flags;
	bigendian uint16_t m_window;
	bigendian uint16_t m_checksum;
	bigendian uint16_t m_urgentData;
}

Now, here comes the main function. The dylayout part is the heart of the parser. If you want pause-and-resume, you should put it into an async coroutine -- then it will be possible to pause in the middle of parsing the packet if it's not complete yet -- and wait for more bytes. But for the TCP/IP stack, it won't make much sense, of course.

int main() {
	// a sample packet

	char packet[] =
		0x"00 1d aa 5f 9c 68 00 ad 24 90 be ae 08 00 45 00"
		0x"00 34 63 aa 40 00 80 06 00 00 c0 a8 01 79 14 bd"
		0x"ad 18 83 53 01 bb 77 02 38 0b 00 00 00 00 80 02"
		0x"fa f0 bc 0c 00 00 02 04 05 b4 01 03 03 08 01 01"
		0x"04 02";

	jnc.DynamicLayout layout(
		jnc.DynamicLayoutMode.Save, // when parsing, also save all discovered fields
		packet,
		sizeof(packet)
	);

	dylayout (layout) { // the main specification
		dyfield EthernetHdr hdr;

		switch (hdr.m_etherType) {
		case 0x0800: // IP4
			dyfield IpHdr ipHdr;
			ipHdr.m_protocol = 6;

			if (ipHdr.m_headerLength * 4 > sizeof(IpHdr)) // have options
				dyfield uint8_t options[sizeof(IpHdr) - ipHdr.m_headerLength * 4];

			switch (ipHdr.m_protocol) {
			case 6: // TCP
				dyfield TcpHdr tcpHdr;
				break;

			case 17: // UDP
			case 1: // ICMP
			// etc
			}
			break;

		case 0x86dd: // IPv6
		case 0x0806: // ARP
		// etc
		}
	}

	printGroup(packet, layout);
	return 0;
}

Finally, here's how to do a recursive walk across all discovered items. A more sophisticated version of such walker could be found in scripts/common/log_RepresentDynamicLayout.jnc (it's used to render dynamic layouts in the log with respect for color, format specifier, display name, and other attributes):

string_t g_indentStep = "    ";

void printGroup(
	void const* p,
	jnc.DynamicSectionGroup* group,
	string_t indent = ""
) {
	for (size_t i = 0; i < group.m_sectionCount; i++) {
		jnc.DynamicSection* section = group.m_sectionArray[i];
		switch (section.m_sectionKind) {
		case jnc.DynamicSectionKind.Array:
			printf("%08x%s %s %s[%d]\n", section.m_offset, indent, section.m_type.m_typeString, section.m_decl.m_name, section.m_elementCount);
			break;

		case jnc.DynamicSectionKind.Struct:
			jnc.StructType* type = dynamic (jnc.StructType*)section.m_type;
			printFields(p, section.m_offset, type, indent);
			break;

		case jnc.DynamicSectionKind.Group:
			printf("%08x%s %s {\n", section.m_offset, indent, section.m_decl.m_name);
			printGroup(p, section, indent + g_indentStep);
			printf("%s}\n", indent);
			break;
		}
	}
}

void printFields(
	void const* p,
	size_t baseOffset, // struct field offsets are relative to the beginning of the struct, so we need base offset
	jnc.StructType* type,
	string_t indent
) {
	for (size_t i = 0; i < type.m_fieldCount; i++) {
		jnc.Field* field = type.m_fieldArray[i];
		size_t offset = baseOffset + field.m_offset;
		printf("%08x%s %s %s", offset, indent, field.m_type.m_typeString, field.m_name);

		if (field.m_type.m_typeKind != jnc.TypeKind.Struct)
			printf(" = %s\n", field.getValueString(p + offset));
		else {
			printf("\n");
			printFields(p, offset, dynamic (jnc.StructType*)field.m_type, indent + g_indentStep);
		}
	}
}

But what if you want to access a particular field instead of walking across all fields? Then you need to access it within dylayout, from the branch where this field is visible! Otherwise, the field you try to access may be missing or be of the wrong type.

A short summary.

1. dynamic layouts are for parsing binary packets; using them for packet generation is possible in theory, but gives (almost) no benefits compared to standard methods.
2. a recursive walk across all discovered fields is possible -- IO Ninja does just that!
3. accessing dynamic fields should be done from within dylayout, while we see the declaration and know the field is there.

I know, it's a lengthy reply, but hope this makes sense. Feel free to follow up with any questions or suggestions!

@schunsky

Is it possible to get the "merged" data when I write a custom protocol analyzer?

This merging strategy is a part of the logging engine, so yes, it applies to all kinds of plugins, including custom protocol analyzers.

I concluded that the strange behaviour where I received data 1 byte each was because of an USB-UART adapter I used.

Hmm, a particular model of USB-to-UART is unlikely to cause this one-byte-at-a-time behavior. My guess is that the buffering settings are to blame (i.e., IO Ninja reads into a one-byte buffer). Check the "Buffering & compatibility" section in properties and try resetting it all to defaults.

Adding a shortcut for clear-the-log is technically trivial. But it should be something that's really hard to press by accident (something like Ctrl+Shift+F8). I mean, imagine a user confusing the shortcut and accidentally killing a log that was built overnight! We even had an opposite (kind of) to your feature request—having a confirmation dialog for clear-the-log!

Adding shortcuts to start-capture, stop-capture, connect, disconnect, etc. -- is technically harder because all those commands are plugin-specific and created from the plugin scripts. Hence, plugins should be able to assign shortcuts to the actions they create -- but IO Ninja currently doesn't have such an API (which should be added, of course).

Overall, a totally valid feature request! We'll try to get something in this department for the next release...

Shun,

By default, IO Ninja merges all blocks of the same data stream together (TX to TX, RX to RX) and highlights merged block boundaries using this grey-white checker pattern. You can turn off this highlighting and configure other details of the merging strategy here:

From your screenshot, I can see that (1) data arrives one byte at a time and (2) not all RX blocks are merged together.

(2) means that you modified the merging strategy (e.g. set to a 20ms threshold or something like that)

(1) most likely, it's caused by the custom buffering rules (e.g. the read block size is set to 1 byte). Unless you have a specific reason to do otherwise, it's recommended to use default buffer sizes.

Hi again, Jörg,

Correct, for capturing, elevation is required. This is by design -- capturing USB traffic is a major security threat (e.g., it allows intercepting keystrokes, mouse movements, etc). The USBPcap driver makes sure only elevated processes can open \Device\USBPcap<n> for reading by assigning a corresponding security descriptor. And there's no way to override this behavior -- the security descriptor is hardcoded.

Hi Jorg,

If the USB Mon device list is empty, it most likely means that USBPcap is not properly installed (did you reboot after installing it?) The enumeration of USBPcap devices requires no elevated privileges, so you should see the list of available USB devices (together with their mapping to particular USBPcap devices) in the drop-down list no matter if you run IO Ninja elevated or not. You can try running the USB Mon session as Administrator for the sake of the experiment, but it shouldn't change much...

Can you see the list of available USBPcap devices in Wireshark by the way?

Glad to hear it helped! Let me know if you have more questions regarding this protocol analyzer of yours. Which protocol is that, by the way?

There're new tutorials on writing custom protocol analyzers and packet templates using dynamic layouts; please check it out:

https://ioninja.com/doc/developer-manual/tutorial-plugin-analyzer.html
https://ioninja.com/doc/developer-manual/tutorial-ias-packet-dylayout.html

(The original tutorial is still available at https://ioninja.com/doc/developer-manual/tutorial-plugin-analyzer-legacy.html)

It's now much easier to write customer protocol analyzers than it's used to be...

@bartho-dröge

Uhm, not quite sure what you mean? It's actually OK to download IO Ninja packages even without signing in to ioninja.com

Serial Terminal requires the capability org.jancy.io.serial, yes. But still, it doesn't stop users from downloading and running evaluation.

But wait, in your case, you have an active subscription, so everything should be unlocked and available. Please let me know if it's not the case and you have problems accessing some functionality...

Hi Shun,

I'd say it's a better practice to keep state variables as member fields of your parser class rather using globals. But it's not written in stone, of course.

To reset state vairables/fields on every session start, process log.StdRecordCode.SessionStart in your log.Converter.convert(...) routine and do initialization from there. Also, you want to override log.Converter.reset() and do initialization here, too (reset() will get called when a user force-clears the log, rebuilds the log by adding a filter, etc).

You can check the official Modbus Analyzer for reference (there are two versions now, a new one based on dynamic layouts and the legacy once).

Also, there're new tutorials on writing protocol analyzers and packet templates using dynamic layouts, check it out:

https://ioninja.com/doc/developer-manual/tutorial-plugin-analyzer.html
https://ioninja.com/doc/developer-manual/tutorial-ias-packet-dylayout.html