[Bro] some information

Siwek, Jonathan Luke jsiwek at illinois.edu
Tue Apr 22 11:10:22 PDT 2014


On Apr 22, 2014, at 10:20 AM, Prateek Gupta <prateekgupta.3991 at gmail.com> wrote:

> I want to know that which module in the source code supplies the information to the root node of the analyzer tree (i.e. Tansport Layer Analyzer) . Where should I look for in the source code.
> Urgently need to understand the information flow and the data structures involved to the analyzer layer for an academic project.

See Connection::NextPacket which is called from NetSessions::DoNextPacket.

> Also  I have been able to use sample analyzer provided in the bro site but how to test run it easily. Can I do something like modifying it like some already made protocol (ex. dhcp etc) and test run it or what?

You can do whatever you need/like in the implementation of the sample analyzer (e.g. the overrides of Analyzer::DeliverStream or Analyzer::DeliverPacket).

Then, to get the sample analyzer attached to particular connections so it will actually process data, there’s a choice of

(1) look in to how the Analyzer::register_for_ports script-layer function is used for other protocol analyzers
(2) look in to how other analyzers use DPD signatures to automatically attach themselves to a connection when the payload matches a signature
(3) hardcode the sample analyzer to be used for every connection.

It’s typical to combine (1) and (2).

- Jon



More information about the Bro mailing list