[Bro] Activating a scanner within a scanner?
Richard Hartmann
richih at net.in.tum.de
Thu May 10 02:35:44 PDT 2007
Hi all,
as some of you will know, I am writing a SIP and (soonish) a RTCP analyzer
in BinPAC.
I have a question regarding the analyzation of protocols which are
inlined into other protocols.
The relation of SIP to SDP could losely be described as that of a HTML
header and body. When the Content-Length field in the SIP packet is
non-zero, there is a SDP payload that also needs to be parsed.
I am not sure if it would make more sense to hook another analyzer into
the SIP analyzer or to just parse the SDP payload within my SIP
analyzer.
Another consideration would be how to write the SDP analyzer in a way
that accounts for both for standalone detection and as a plugin for my
SIP analyzer (working on packets vs working on data i feed it directly).
Any feedback is appreciated,
Richard
More information about the Bro
mailing list