[Bro] some information
Siwek, Jonathan Luke
jsiwek at illinois.edu
Tue Apr 22 11:10:22 PDT 2014
On Apr 22, 2014, at 10:20 AM, Prateek Gupta <prateekgupta.3991 at gmail.com> wrote:
> I want to know that which module in the source code supplies the information to the root node of the analyzer tree (i.e. Tansport Layer Analyzer) . Where should I look for in the source code.
> Urgently need to understand the information flow and the data structures involved to the analyzer layer for an academic project.
See Connection::NextPacket which is called from NetSessions::DoNextPacket.
> Also I have been able to use sample analyzer provided in the bro site but how to test run it easily. Can I do something like modifying it like some already made protocol (ex. dhcp etc) and test run it or what?
You can do whatever you need/like in the implementation of the sample analyzer (e.g. the overrides of Analyzer::DeliverStream or Analyzer::DeliverPacket).
Then, to get the sample analyzer attached to particular connections so it will actually process data, there’s a choice of
(1) look in to how the Analyzer::register_for_ports script-layer function is used for other protocol analyzers
(2) look in to how other analyzers use DPD signatures to automatically attach themselves to a connection when the payload matches a signature
(3) hardcode the sample analyzer to be used for every connection.
It’s typical to combine (1) and (2).
More information about the Bro