[Bro-Dev] Hui Lin_Confusion in Dynamic Protocol Detection

Robin Sommer robin at icir.org
Mon Aug 8 08:49:33 PDT 2011

On Sun, Aug 07, 2011 at 21:56 -0700, you wrote:

> So it seems that TCP_ApplicationAnalyzer behave like a helping interface
> between TCP protocol and other application-over-TCP protocol.  I would also
> like to learn how TCP_Analyzer passes payload to TCP_AppliationAnalyzer in
> implementation. For the DNP3 protocol, I actually have to write two
> application level analyzer and one passes the payload to the other one to do
> some further parsing. I would like to refer TCP's implementation.

TCP's data flow is more complex than you need (I believe) because the
TCP reassembler is potentially involved too. In your case, the first
analyzer would call its ForwardStream(), and the data will then show
up in the second's DeliverStream() method.


Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the bro-dev mailing list