XML Protocol Definitions
Argos introduces a proprietary, powerful yet simple XML Protocol Description Language (x-protocol) to define all aspects of the protocol analysis, from acquisition, through decoding, presentation and post processing.
The XML Protocol Definitions (x-defs) are described in open or encrypted text files, included hierarchically, starting from the top level definition file.
The analyzer can load any number of top level protocol definition files with their included hierarchy, and use them in parallel for protocol analysis.
A user selected protocols are loaded automatically at application startup.
The application itself acts also as a development environment for the XML Protocol Definitions, offering an enhanced XML editor with definition browsing, template insertion and context help.
The XML Protocol Definitions covers the following aspects of the protocol analysis:
- general level protocol definitions, like name, identifier, structural root, etc..
- list of included protocol definition files
- structural definitions of protocol PDUs down to byte and bit level
- protocol data input format, binary and text mode parsing and packetizing
- PDU filtering
- fragmented PDU reassembling
- text and binary exports
- view definitions, view column layout and content
- message diagrams
- command forms layout and commands
- aliases
Each protocol can be associated to log file naming rules, which is automatically loaded, if needed, and used, or the user can select one at load time. Each protocol can define an unlimited number of binary or text input data formats, automatically by association, or manually selected.
Without going to details for all XML definitions elements listed above, we present next the structural definition of the protocol PDUs used for the analysis. The naming convention x-<element> is used to refer to an x-def.
The structural x-defs consists of two main elements:
- x-symdef: a hierarchical representation of a PDU content
- x-map: a map of value associations
The x-symdef defines a hierarchical representation of a PDU bit or byte interval. The interval can be one bit or byte or the whole PDU.
The x-symdef top node is called the root x-symdef, all its members to all hierarchical levels are called x-members, and all of them referenced as x-symdef elements or x-elements.
An x-symdef element can be a structural or discrete element. Structural x-elements have member x-elements and they represent a group of discrete x-elements. Discrete x-elements describes the interpretation of a continuous group of bits or bytes as a single element.
Each x-element has two mandatory fields: name and type. The name is a free string, recommended without space. The type can be a structural or discrete type, real or virtual, based on which the rest of the x-element parameters are defined.
To each x-element an x-condition string can be associated, having operands as other discrete x-elements. If the condition is false, the x-element and its members, if any, are not considered.
The type of structural x-elements can be: struct, union, bitstruct, bitunion.
The type of real discrete x-elements can be:
- numerical byte level: byte,word,...,uint8,uint16,..., etc...
- numerical bit level: bitfield
- boolean: bool, bool8, bool16, etc...
- char, string
- buffer: buffer, bitbuffer
The type of virtual discrete x-elements can be:
- variable: numerical or string, calculated from other x-elements values
- const: numerical or string
- view: formatted string from other x-elements values
- special types: ipv4, ipv6, mac, padding, asn1 specific, etc...
For x-elements who's size is not enforced by its type, the size in bits or bytes must be specified.
The type can be also defined as being the name of an other x-symdef (static linking), as an x-function (dynamic linking), which is an x-map lookup chain string, using other x-elements.
When static type linking is used, the x-element is always replaced with the linked x-symdef.
If dynamic type linking is defined, the x-element is replaced only at analysis time, since the linked x-symdef is a result of the x-function and of the ongoing analysis.
The size, if any, can be also defined as an x-function, or as a numeric expression, using other x-elements.
There are two more important, but optional parameters of a discrete x-element.
The symbolic representation of the x-element value, x-value, usually defined as an x-function, who's default input parameter is the x-element's numeric or string native value. If not specified, the native value is used as result, x-result.
The formatting string of the x-result, the x-format, very similar to a C printf formatting string. If not specified, the native value's default format is used.
A few other x-element parameters can also be defined: array (number of repetitions), endiannes (little by default), flat (structure is shown as flat), hide (by default is not shown), color, and some other special parameters.
Based on the x-elements described above, an example of x-def is presented here, as defining the CHAP protocol from the PPP protocol family.
The dynamic linking is used when the rest, or part of the message is decoded differently for each message, based on the value of an already analyzed member.
The contextually separable message sections can be defined with its own x-symdef, and linked statically wherever it can be applied.
Typical use case is a message with header and payload: the message header contains a message identifier, and the message payload is decoded differently based on the message id.
As it can be observed, the x-symdef syntax is very similar to the definition of structures in C language.
The application also offers a DLL plugin system for automatic conversion from C or a proprietary format message definitions into XML, called XMLizers. The user can convert files or a text selected in the editor by selecting the converter plugin from the menu.
The application provides a helper API and a C converter XMLizer plugin, based on which the user can write its own converter for any proprietary format.