[Bro-Dev] #861: Merging DNP3 Analyzer
Bro Tracker
bro at tracker.bro-ids.org
Wed Oct 3 11:44:52 PDT 2012
#861: Merging DNP3 Analyzer
---------------------+------------------------
Reporter: hui | Owner: robin
Type: Task | Status: assigned
Priority: Normal | Milestone: Bro2.2
Component: Bro | Version: git/master
Resolution: | Keywords: dnp3
---------------------+------------------------
Comment (by robin):
Replying to [comment:6 hui]:
> So my understanding is that a analyzer class instance represent a single
TCP session including all flows ? Actually I am writing to confirm this
understanding.
Yes, the analyzer gets (all) the data from a single TCP session, so if you
need to remember things for the (pseudo-)link layer reassembly, you can
(and should) do that as part of the analyzer class.
One additional note though: I'm now wondering if you need to buffer the
data at all. Can you just pass it into the BinPAC analyzer as it comes in?
You don't need to have the full PDU assembled before starting to send data
in (just like for HTTP, you don't need to have the full HTTP session).
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/861#comment:7>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list