[Bro] Understanding the event generation and handling

Vern Paxson vern at icir.org
Wed Oct 6 17:00:08 PDT 2010

> Specifically, I need to get to the logic of-
> 1. Event generation: How does Bro know which all events to raise by 
> looking at a particular packet?

There is a tree of analyzers that's traversed (perhaps taking multiple
branches at any given point).

> I have a basic understanding of the 
> class hierarchy, but I don't know where to look for the code that 
> decides which specific Application layer analyzer object to create by 
> looking at the Application Layer header/signature of the incoming packet.

The architecture here is described in the paper:


If you are looking for specific details regarding names of classes/methods,
etc., then you'll probably have to wait until Robin comes back from vacation
in a couple of weeks.

> 2. Event handling: It seems that an event's information is stored in an 
> object and all events are queued in an Event Manager as they are 
> created.


> After every packet is processed, this queue of events is 
> drained (thus following a single-threaded model) and the events are sent 
> to a Serializer. I found the serialization code hard to understand so I 

Ignore the serializer.  It's there for things like communication between
multiple Bro processes.

> Can someone please suggest which debugger to use and how, so that I can 
> step-by-step understand the event-engine?

Well, I use gdb, and if I must, I start with invocations of
NetSessions::NextPacket .

If you want to sketch your particular goal, that might help with giving
you more focussed advice.


More information about the Bro mailing list