<p dir="ltr">Hello, </p> <p dir="ltr">While not fluent in perl, shouldn't that n in your unpack template be an N for unsigned long (as opposed to not for unsigned short)? </p> <p dir="ltr">/Anton </p> <div class="gmail_quote">On 4 Jan 2013 17:38, "Andreas Marschke" <<a href="mailto:andreas.marschke@gmail.com">andreas.marschke@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Hi everyone,</span><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I'm currently trying to figure out the "on-the-wire" protocol NRPE speaks so I could implement a pure perl module that could talk NRPE.</div> <div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">During this endeavour I found a couple of strange things I'd like to ask you folks about.</div> <div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Beware that this is my first time I write an application using raw TCP/IP and am not too sufficient in C. Therefore I'd love to know where and when I went wrong in my assumptions and/or code. </div> <div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">As mentioned above I use Perl as my target language and simultainously started reading the code in check_nrpe.c . So far I came up with this as an unpack template: </div> <div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>my ($packet_version, $packet_type, $crc32_value, $result_code, $buffer) = unpack('S S n S A[1024]',$str);</div> <div><br></div><div>print $packet_version." ".$packet_type." ".$crc32_value." ".$result_code." ".$buffer;</div><div><br></div><div>Where $str is the hex encoded data from the TCP conversation and is attached to this mail(data.hex). As a result I get this: </div> </div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">512 256 22286 20613 krcheck_users<br></div><div style="font-family:arial,sans-serif;font-size:13px"> <br></div><div style="font-family:arial,sans-serif;font-size:13px">From looking at the code I can gather that:</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"> - 512 is the NRPE version 2*256=512</div><div style="font-family:arial,sans-serif;font-size:13px"> as NRPE_PACKET_VERSION_2 defines it in common.h</div><div style="font-family:arial,sans-serif;font-size:13px">- 256 is the packet type 1*256=256 as common.h defines it </div> <div style="font-family:arial,sans-serif;font-size:13px"> QUERY_PACKET 1</div><div style="font-family:arial,sans-serif;font-size:13px">- 22286 the checksum over the packet which I - for now - blindly trust is correct</div> <div style="font-family:arial,sans-serif;font-size:13px">Now this os where it starts boggling in my mind. common.h defines packet as: </div><div style="font-family:arial,sans-serif;font-size:13px"><div><br></div><div>typedef struct packet_struct{</div> <div> int16_t packet_version;</div><div> int16_t packet_type;</div><div> u_int32_t crc32_value;</div><div> int16_t result_code;</div><div> char buffer[MAX_PACKETBUFFER_LENGTH];</div> <div> }packet;</div><div><br></div><div>So logically a result and/or zero should be here for a Query package right? But what I find is: </div></div><div style="font-family:arial,sans-serif;font-size:13px">- 20613 </div> <div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">After that there is only $buffer left which is: </div><div style="font-family:arial,sans-serif;font-size:13px"> "krcheck_users"<br></div><div style="font-family:arial,sans-serif;font-size:13px">Which is semi-correct since I queried the server for the state of check_users. But the first 2 characters bother me. They showed up consistently over the last 4-5 test packets I looked at with wireshark and were always semi random. If I could find an explanation for them I'd be happy. Otherwise maybe I'm just wrong in assuming that result_code is actually relevant in this context and it is actually part of the semi_random data you filled packet with before filling in the relevant parts. </div> <div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Otherwise I'd love to have something in the form of an RFC for the NRPE Protocol versions. This would definitely make implementing NRPE much easier. </div> <div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Thanks in advance and a Happy New Year,</div><div style="font-family:arial,sans-serif;font-size:13px"> <br></div><div style="font-family:arial,sans-serif;font-size:13px">Andreas Marschke.</div></div> <br>------------------------------------------------------------------------------<br> Master HTML5, CSS3, <a href="http://ASP.NET" target="_blank">ASP.NET</a>, MVC, AJAX, Knockout.js, Web API and<br> much more. Get web development skills now with LearnDevNow -<br> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.<br> SALE $99.99 this month only -- learn more at:<br> <a href="http://p.sf.net/sfu/learnmore_122812" target="_blank">http://p.sf.net/sfu/learnmore_122812</a><br>_______________________________________________<br> Nagios-devel mailing list<br> <a href="mailto:Nagios-devel@lists.sourceforge.net">Nagios-devel@lists.sourceforge.net</a><br> <a href="https://lists.sourceforge.net/lists/listinfo/nagios-devel" target="_blank">https://lists.sourceforge.net/lists/listinfo/nagios-devel</a><br> <br></blockquote></div>