[Bro-Dev] Hui Lin_Confusion in Dynamic Protocol Detection

Hui Lin hlin33 at illinois.edu
Thu Aug 4 22:19:12 PDT 2011


When I read http://www.bro-ids.org/development/dpd.html about DPD, I always
have confusion in its wording.

1. From the "Class Layout" picture, every analyzer is derived from class
"Analyzer", but the wording also says that "The root node must always be of
type TransportLayerAnalyzer." So which one is the real root in the Bro's
code. yzer directly derived by "Analyzer") are located in this analyzer tree
2. In the section "Determining Analyzer Activation", I am also confused
about the method to activate the analyzer on all connections. Foo_Analyzer
is derived TCP_ApplicationAnalyzer, but why this Foo_Analyzer is added as
the child of TCP_Analyzer.
tcp->AddChildAnalyzer(new Foo_Analyzer(conn));
So what is the differences between TCP_ApplicationAnalyzer and

Hui Lin

Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33 at illinois.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110804/53513c29/attachment.html 

More information about the bro-dev mailing list