Payload FunctionsPayload Functions
This topic defines language for the flex parser payload functions.
These functions operate on a read position, set at the beginning of a match element.
Language DefinitionLanguage Definition
| Node Name | Attribute Name | Description |
|---|---|---|
| find | Searches the stream payload starting at the read position for a provided string value. If the value is found, the offset from the read position is returned. Any child elements will then execute. If not found, any child elements will not execute. | |
| name | A number variable to receive the offset from the read position where the match begins. | |
| value | A string to find. | |
| length (optional) | A limit to the length of the payload to be searched. If a limit is not provided, the remainder of the payload is searched. It is recommended to always use the smallest value possible here in order to reduce the effect on performance. | |
| install-decoder | To enable tokens to match on payload data that may be fragmented or otherwise encoded. A scan decoder can be installed to preprocess a section of the payload before it is scanned for tokens. An example would be an HTTP response that uses the chunked transfer encoding with gzip content encoding. By parsing the HTTP header, the necessary type, offset, and length parameters can all be set, after which the HTTP response payload would appear to the token scanning as if neither encoding had been applied. However, this incurs significant overhead. | |
| type | The type of decoder to install. Valid options are: gzip, deflate, chunked, chunked-gzip, chunked-deflate. |
|
| offset | Offset from the current read position to begin decoding. | |
| length | The maximum payload length to decode. | |
| isdecoding | Tests whether an installed decoder is currently active. If so, any children of this function will execute. This function has no parameters. | |
| move | Moves the read position forward in the current stream by a specified number of bytes. If there is sufficient data in the stream, the read position is updated and any child elements will then execute. If not found, the read position remains unchanged and any child elements will not execute. | |
| value | The number of bytes to move the read position. | |
| direction (optional) | The direction to move the current read position. Can be forward (default) or reverse. | |
| packetid | Returns the id of the packet for the current read position. It is possible for the result to be 0, which indicates that the packet id could not be determined. | |
| name | A number variable to receive the current packet id. | |
| payload-position | Returns the current read position. This is a zero based index into the stream payload. | |
| name | A number variable to receive the current read position. | |
| read | Reads a specified number of bytes starting at the read position into a variable. If there is sufficient data in the stream, the read position is updated, the data read assigned, and any child elements will then execute. If not found, the read position remains unchanged and any child elements will not execute. | |
| name | The name of a string or number variable to receive stream data. If a number variable is provided, the bytes read are interpreted as a single unsigned numeric value. | |
| length | The number of bytes to read from a stream. | |
| endianess (optional) | The byte ordering to use when reading into a number variable. Can be big (default) or little. The attribute is invalid when reading into a string variable. |
