Validation: Packet Filtering

To ensure the decoder receives protocol data that it is expecting, we can add application-specific rules to test the data is valid. Validation rules can be combined in a number of ways and the result of the rules is to either discard the current message/packet or to decode it.

Validations are useful if you need to filter application messages to a very fine granularity.

Validations are optional for UDP protocols, and required for TCP (stream) protocols.

Validations example

    "Validation": {
    "data":"packet",
    "minimum_size":6,
    "fields": [
      {
        "name": "numeric_id1", "type":"INT8", "offset":0, "validate": [-1]
      },
      {
        "name": "numeric_id2", "type":"UINT8", "offset":1, "validate": [1,255]
      },
      {
        "name": "string_id", "type":"STRING", "offset":2, "validate": ["pass"]
      },
      {
        "name": "string_id", "type":"STRING", "offset":2, "validate": ["pa"]
      }
    ]
  },

The example above shows the basic structure of validations. The fields array allows us to test data in a packet at specific offsets.

The “validate” key allows us to specify a set of values that the decoded field value must satisfy in an OR fashion for the field to be considered “valid”. So in the example, the first decoded field is “numeric_id1” at offset 0 of packet “data”. The decoded value must be -1 for the rule to be considered “valid”. The second field must be decoded to 1, or 255 to be considered “valid”.

All rules are evaluated in this way sequentially. If any rule results in an “invalid” result, then the packet currently being decoded is discarded and then the data from the next packet is considered again using the validation rules from the start of the array.

The evaluation of validation rules sequentially in the array equate to AND logical operations, and each validate value tested for a value is a logical OR operation.

The example above will always be invalid at the last rule because it tests for a value different from the value in the rule before at the same offset which must be valid. The example is not useful for real world use because it will discard all data but is useful to explain the concept.

The “minimum_size” key tells ACD to only consider packets of at least 6 bytes or more. Anything less will not be considered for validation. This is to ensure we have enough data to validate. If an out of bounds offset is specified, the validation will be invalid. Offsets outside the packet data space are not validated.

The settings “data” and “minimum_size” are described in the next section.