[Bro-Dev] Hui Lin_Confusion in Dynamic Protocol Detection

Hui Lin hlin33 at illinois.edu
Sun Aug 7 21:56:01 PDT 2011


For 1, I am OK. For 2, I still confused, please see the inline comment.

On Sun, Aug 7, 2011 at 9:39 PM, Robin Sommer <robin at icir.org> wrote:

>
> On Thu, Aug 04, 2011 at 22:19 -0700, you wrote:
>
> > 1. From the "Class Layout" picture, every analyzer is derived from class
> > "Analyzer", but the wording also says that "The root node must always be
> of
> > type TransportLayerAnalyzer." So which one is the real root in the Bro's
> > code. yzer directly derived by "Analyzer") are located in this analyzer
> tree
> > structure.
>
> There are two different trees here: (1) the class hierarchy, which is
> shown on the Wiki page and in which the Analyzer class is the root;
> (2) the tree of analyzer *instances* instantiated for each connection
> at runtime. In the latter, a TransportLayerAnalyzer instance must be
> the root. The paper may help:
> http://www.icir.org/robin/papers/usenix06.pdf
>
> > So what is the differences between TCP_ApplicationAnalyzer and
> > TCP_Analyzer.
>
> The TCP_Analyzer analyzes TCP itself, while a TCP_ApplicationAnalyzer
> analyzes an application-layer protocol that's running on top of TCP.
> The former passes payload data on to the latter that's why they are
> linked in the analyzer tree.
>

So it seems that TCP_ApplicationAnalyzer behave like a helping interface
between TCP protocol and other application-over-TCP protocol.  I would also
like to learn how TCP_Analyzer passes payload to TCP_AppliationAnalyzer in
implementation. For the DNP3 protocol, I actually have to write two
application level analyzer and one passes the payload to the other one to do
some further parsing. I would like to refer TCP's implementation.


>

Robin
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>



-- 
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33 at illinois.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110807/f0a804d2/attachment.html 


More information about the bro-dev mailing list