[Bro] information between TLanallyzer and Application protocol analyzer

Siwek, Jonathan Luke jsiwek at illinois.edu
Wed Apr 23 11:22:31 PDT 2014


On Apr 23, 2014, at 12:17 PM, Prateek Gupta <prateekgupta.3991 at gmail.com> wrote:

> I have a query. In TCP.cc , the information is trasferred to the child analyzers (i.e. application protocol analyzer) using statement 
> LOOP_OVER_GIVEN_ and calling NextPacket() function
> 
> but in the case of UDP I dont find any mechanism to transfer info to the application layer protocol. Do the UDP based application protocol get their own information from connection via their respective .pac analyzer? If not can you please explain in brief.

Each connection starts with an analyzer tree that looks like (see analyzer::Manager::BuildInitialAnalyzerTree):

UDP: UDP_Analyzer -> PIA_UDP, any analyzers registered for a well-known UDP resp port
TCP: TCP_Analyzer -> PIA_TCP, any analyzers registered for a well-known TCP resp port

The PIA_*, Port Independent Analysis (I think), are responsible for automatically attaching new analyzers if payload content matches provided signatures.

Children of UDP_Analyzer which override Analyzer::DeliverPacket will start receiving packets immediately from Analyzer::ForwardPacket.

Children of TCP_Analyzer which override Analyzer::DeliverPacket will start receiving packets immediately from (1) Analyzer::ForwardPacket if reassembly is not enabled (2) Analyzer::NextPacket if they were explicitly added as children via TCP_Analyzer::AddChildPacketAnalyzer.

It’s more typical for children of TCP_Analyzer to be overriding Analyzer::DeliverStream in order to receive input as reassembled TCP segments.  i.e. protocols on top of TCP may choose between packet-wise and stream-wise input, but the later is more common.

- Jon



More information about the Bro mailing list