[Bro-Dev] Hui Lin_Confusion in Dynamic Protocol Detection
Robin Sommer
robin at icir.org
Sun Aug 7 21:39:26 PDT 2011
On Thu, Aug 04, 2011 at 22:19 -0700, you wrote:
> 1. From the "Class Layout" picture, every analyzer is derived from class
> "Analyzer", but the wording also says that "The root node must always be of
> type TransportLayerAnalyzer." So which one is the real root in the Bro's
> code. yzer directly derived by "Analyzer") are located in this analyzer tree
> structure.
There are two different trees here: (1) the class hierarchy, which is
shown on the Wiki page and in which the Analyzer class is the root;
(2) the tree of analyzer *instances* instantiated for each connection
at runtime. In the latter, a TransportLayerAnalyzer instance must be
the root. The paper may help:
http://www.icir.org/robin/papers/usenix06.pdf
> So what is the differences between TCP_ApplicationAnalyzer and
> TCP_Analyzer.
The TCP_Analyzer analyzes TCP itself, while a TCP_ApplicationAnalyzer
analyzes an application-layer protocol that's running on top of TCP.
The former passes payload data on to the latter that's why they are
linked in the analyzer tree.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list