<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Hi everyone,</span><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I'm currently trying to figure out the "on-the-wire" protocol NRPE speaks so I could implement a pure perl module that could talk NRPE.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">During this endeavour I found a couple of strange things I'd like to ask you folks about.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Beware that this is my first time I write an application using raw TCP/IP and am not too sufficient in C. Therefore I'd love to know where and when I went wrong in my assumptions and/or code. </div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">As mentioned above I use Perl as my target language and simultainously started reading the code in check_nrpe.c . So far I came up with this as an unpack template: </div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>my ($packet_version, $packet_type, $crc32_value, $result_code, $buffer) = unpack('S S n S A[1024]',$str);</div>
<div><br></div><div>print $packet_version." ".$packet_type." ".$crc32_value." ".$result_code." ".$buffer;</div><div><br></div><div>Where $str is the hex encoded data from the TCP conversation and is attached to this mail(data.hex). As a result I get this: </div>
</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">512 256 22286 20613 krcheck_users<br></div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">From looking at the code I can gather that:</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">
- 512 is the NRPE version 2*256=512</div><div style="font-family:arial,sans-serif;font-size:13px"> as NRPE_PACKET_VERSION_2 defines it in common.h</div><div style="font-family:arial,sans-serif;font-size:13px">- 256 is the packet type 1*256=256 as common.h defines it </div>
<div style="font-family:arial,sans-serif;font-size:13px"> QUERY_PACKET 1</div><div style="font-family:arial,sans-serif;font-size:13px">- 22286 the checksum over the packet which I - for now - blindly trust is correct</div>
<div style="font-family:arial,sans-serif;font-size:13px">Now this os where it starts boggling in my mind. common.h defines packet as: </div><div style="font-family:arial,sans-serif;font-size:13px"><div><br></div><div>typedef struct packet_struct{</div>
<div> int16_t packet_version;</div><div> int16_t packet_type;</div><div> u_int32_t crc32_value;</div><div> int16_t result_code;</div><div> char buffer[MAX_PACKETBUFFER_LENGTH];</div>
<div> }packet;</div><div><br></div><div>So logically a result and/or zero should be here for a Query package right? But what I find is: </div></div><div style="font-family:arial,sans-serif;font-size:13px">- 20613 </div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">After that there is only $buffer left which is: </div><div style="font-family:arial,sans-serif;font-size:13px">
"krcheck_users"<br></div><div style="font-family:arial,sans-serif;font-size:13px">Which is semi-correct since I queried the server for the state of check_users. But the first 2 characters bother me. They showed up consistently over the last 4-5 test packets I looked at with wireshark and were always semi random. If I could find an explanation for them I'd be happy. Otherwise maybe I'm just wrong in assuming that result_code is actually relevant in this context and it is actually part of the semi_random data you filled packet with before filling in the relevant parts. </div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Otherwise I'd love to have something in the form of an RFC for the NRPE Protocol versions. This would definitely make implementing NRPE much easier. </div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Thanks in advance and a Happy New Year,</div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">Andreas Marschke.</div></div>