[Bro-Dev] Updating / Accessing ConnVal from child analyzers

Gregor Maier gregor at icir.org
Thu Dec 9 10:33:15 PST 2010


Hi,

has anybody (Robin?) a good idea on how I could update / access a
connections's ConnVal from Child analyzers? In my case that would be to
facilitate counting and reporting of number of packets (and bytes) seen
on the wire for this connection.

What Bro currently does:
  * Conn keeps a ConnVal pointer. A call to BuildConnVal() will update
    that pointer.
  * BuildConnVal() calls root_anlyzer->UpdateEndpointVal() to get the
    current size and state. (root_analyzer is either UDP_Analyzer or
    TCP_Analyzer).
  * UpdateEndpointVal() is abstract in TransportAnalyzer, which both
    UDP_Analyzer and TCP_Analyzer inherit.

My counting analyzer (ConnSize) are children (in the DPD sense, not the
class hierarchy sense) of UDP_Analyzer and TCP_Analyzer.

Two ways come to mind:
a) My ConnSize analyzer could just update the ConnVal on every packet.
   Every analyzer has a pointer to its Conn class. But the pointer is
   private in Analyzer.h, so derived classes don't have access to it.
   However, the Conn instance is passed to the ConnSize constructer, so
   I could just keep a copy of this conn instance.
   Then I have access to the conn instance. In order to access to the
   ConnVal, I'd need to add a method to conn to update the ConnVal, or
   make my analyzer a friend of Conn (since the ConnVal is protected).
   I would also have to update ConnVal on every packet (instead of only
   when requested by BuildConnVal).

b) I make my ConnSize analyzer inherit from TransportAnalyzer and
   implement UpdateEndpointVal.
   TCP_Analyzer::UpdateEndpointVal and UDP_Analyzer::UpdateEndpointVal
   could then iterate through their children, check whether they are
   derived from TransportAnalyzer (I think I can do this check with a
   dynamic_cast, but I don't know how standard this is). If the child
   is a TransportAnalyzer, the parent can call the child's
   UpdateEndpointVal.
   I guess one consideration here would be whether we see other
   use-cases in which child analyzers update the connection record
   (actually it's the endpoint record) or whether that would only ever
   be used for my counting.


I think a) is really ugly.

What are your thoughts on b)?

Does anybody have better/other ideas?


cu
Gregor
-- 
Gregor Maier                                             gregor at icir.org
Int. Computer Science Institute (ICSI)          gregor at icsi.berkeley.edu
1947 Center St., Ste. 600                    http://www.icir.org/gregor/
Berkeley, CA 94704
USA


More information about the bro-dev mailing list