[Bro] analyzer
Robin Sommer
robin at icir.org
Wed May 3 09:01:52 PDT 2006
On Wed, May 03, 2006 at 14:40 +0200, bsila amine wrote:
> can any one please tell me the procedure to add a new
> protocol analyzer.
The best way to see how an analyzer works is to take a look at one
of the more simple existing analyzers. For a TCP protocol, the
finger analyzer is a good starting point (it's in Finger.{h,cc}; you
can ignore anything related to trace rewriting). For UDP the NTP
analyzer makes a good example.
Note that in the near future the analyzer interface will change, as
we're working on a more general analyzer architecture (which is,
e.g., able to analyze protocols independent of their well-know
ports). It will be easy to convert analyzers to the new interface
though.
Which protocol do you want to add?
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list