<div dir="auto">This is a great question and something I recently went through with RDPEUDP. The Syslog analyzer is a good example of a simple analyzer. The SSL analyzer is a good example of a complex analyzer. <div dir="auto"><br></div><div dir="auto">I found comparing existing analyzers to the files which binpac_quickstart outputs very helpful. It turns out much of the code which composes an analyzer is template/boilerplate. *-protocol.pac and *-analzer.pac is where most of the analyzer will live. </div><div dir="auto"><br></div><div dir="auto">The README of binpac explains its DSL fairly well. It's much smaller than Zeek's scripting language but harder, in my opinion, to debug. Some random thoughts on binpac:</div><div dir="auto">- I had issues using nested cases, so don't use them</div><div dir="auto">- I ended up using temporary or "throw away" fields than I thought would be necessary</div><div dir="auto">- There are conventions but there doesn't seem to be one way of using binpac</div><div dir="auto">- printf from proc_* functions is basically all the debugging info you get</div><div dir="auto"><br></div><div dir="auto">Reading the Zeek docs on DPD, PIA, and the Signature Framework were also useful if you want your analyzer to attach to connections in a robust manner. </div><div dir="auto"><br></div><div dir="auto">I hope this helps! </div><div dir="auto"><br></div><div dir="auto">-AK</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 9, 2020, 13:10 Tomek Koziak <<a href="mailto:ttomek.koziak@gmail.com">ttomek.koziak@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi all,</div><br>As far as I see <a href="https://github.com/zeek/zeek/tree/47235b57a6854e0acf2899f5681edf1ebb7efa4a/src/analyzer/protocol" target="_blank" rel="noreferrer">here</a> no RTP analizer has been added yet. So I have an another question regarding this topic. Is there any existing guide or tutorial explaining how I can develop an analizer for a protocol myself or should I just base it on the already existing code?<div><br></div><div>Best regards and happy Easter.<br><br>Tomasz</div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank" rel="noreferrer">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div>