[Bro-Dev] Hui Lin_Confusion in Dynamic Protocol Detection

Hui Lin hlin33 at illinois.edu
Thu Aug 4 22:19:12 PDT 2011


Hi,

When I read http://www.bro-ids.org/development/dpd.html about DPD, I always
have confusion in its wording.

1. From the "Class Layout" picture, every analyzer is derived from class
"Analyzer", but the wording also says that "The root node must always be of
type TransportLayerAnalyzer." So which one is the real root in the Bro's
code. yzer directly derived by "Analyzer") are located in this analyzer tree
structure.
2. In the section "Determining Analyzer Activation", I am also confused
about the method to activate the analyzer on all connections. Foo_Analyzer
is derived TCP_ApplicationAnalyzer, but why this Foo_Analyzer is added as
the child of TCP_Analyzer.
tcp->AddChildAnalyzer(new Foo_Analyzer(conn));
So what is the differences between TCP_ApplicationAnalyzer and
TCP_Analyzer.

Hui Lin


-- 
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33 at illinois.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110804/53513c29/attachment.html 


More information about the bro-dev mailing list