[Bro] Writing Analyzers
Robin Sommer
robin at icir.org
Fri Oct 6 09:17:18 PDT 2006
On Fri, Oct 06, 2006 at 10:59 +0530, you wrote:
> When writing an Analyzer for a protocol, say X that runs on top of
> TCP connection, should I always include the 'Deliver' function. Is it the
> function that gets called every time a X packet arrives at the interface?
Please note that the analyzer interface is going to change quite a
bit with the upcoming 1.2 release (real soon now :-), and I
recommend to use new API for any new code. There is actually already
some documentation available for it in the Bro Wiki (see "API for
dynamic protocol detection").
That said, for a TCP-based analyzer you most probably don't want to
work on packets but on the reassembled payload stream. With the new
API, TCP_ApplicationAnalyzer::DeliverStream() is the entry point for
that.
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list