It's been awhile since I've used a mailing list. Didn't add line breaks.  Sorry.
So let's try this again for better readability.

I am writing a C++ program to interface with Bro, using Broccoli.

According to this [Bro] Mailing List message (http://mailman.icsi.berkeley.edu/pipermail/bro/2014-December/007844.html),
I need to create my own events that only use certain fields from the conn_id bro record.

I followed the example in the post, using the 'dns_message' event as a test.

1) In bro/share/bro/base/bif/plugins/Bro_DNS.events.bif.bro, I added this line after line 26:
   global dns_message_test: event(cid: conn_id, is_orig: bool , msg: dns_msg , len: count );

2) In bro/share/bro/base/protocols/dns/main.bro, in the 'event dns_message' event (ln 286),
   I added this at the bottom of the event: event dns_message_test(c$id, is_orig, msg, len);

3) Then, in my main function, I add it to the registry with something like:
   bro_event_registry_add_compact(f_broPtr, "dns_message_test", (BroCompactEventFunc) event_cb, NULL);

And my 'event_cb' callback function is called and everything seems good.

However, I then wanted to try with icmp_time_exceeded and icmp_packet_too_big (which is part of what I'm after):
In bro/share/bro/base/bif/plugins/Bro_ICMP.events.bif.bro, I add a '_test' event to both:
 global icmp_packet_too_big_test: event(cid: conn_id , icmp: icmp_conn , code: count , context: icmp_context );
 global icmp_time_exceeded_test: event(cid: conn_id , icmp: icmp_conn , code: count , context: icmp_context );

1) There is only one 'event icmp*' function block, and that's in /bro/share/bro/policy/misc/detect-traceroute/main.bro
   for 'icmp_time_exceeded'. This has an associated  'event icmp_time_exceeded' (line 98).
   I add my 'icmp_time_exceeded_test(c$id, icmp, code, context)' line in that
   function and register it with another bro_event_registry_add_compact line in
   my C code, but the event (original and my _test version) never fires.
   I'm not sure I'm using the correct 'event icmp' since the detect-traceroute
   comments say it's for a Time Exceeded threshold, and I'm more interested
   in capturing ANY Time exceeded event.

2) Given 1), I cannot find a 'main.bro' file with 'event icmp_packet_too_big',
   and so that event (original and _test version) never fires, either.

I am very new to DPI, so I may be missing something obvious.  Any help greatly appreciated.



