[Bro] Plugin doesn't seem te get instantiated

Bas Vermeulen basvermeulen80 at yahoo.com
Fri Aug 21 12:31:00 PDT 2015

Hi all, 

I want to create my own bro plugin but I'm stuck in the playing-around phase. Below is my current code and information about my system. I know packet counts are available in the normal logs, this is just my hello world for bro. The problem is that while bro seems to recognize that there is a plugin, it doesn't seem to instantiate the analyzer when is is processing a pcap. I've tried to activate it using the environment variables, the Available function and the EnableHook. I need to process all connections so I can't use port numbers or signatures. 

The only output the plugin creates is 'hello world!' from the plugin.cc If the Analyzer gets instantiated, I would expect more output.

Could someone please help me?


#include "plugin/Plugin.h"
#include "plugin/Manager.h"

#include "PluginAnalyzer.h"
namespace plugin {
namespace mynamespace_myplugin {

class Plugin : public plugin::Plugin {
    plugin::Configuration Configure()
            AddComponent(new ::analyzer::Component("PluginAnalyzer", ::analyzer::mynamespace_myplugin::PluginAnalyzer::Instantiate));

            plugin::Configuration config;
            config.name = "mynamespace::myplugin";
            config.description = "Test_plugin";
            config.version.major = 0;
            config.version.minor = 2;
            cout << "hello world!\n";

//            Attempt to enable the plugin, this doesn't seem to
//            do anything
            EnableHook(HOOK_SETUP_ANALYZER_TREE, 1);

            return config;    ;
} plugin;



//#include "analyzer/Analyzer.h"
#include "analyzer/protocol/tcp/TCP.h"

namespace analyzer { namespace mynamespace_myplugin {

//class PluginAnalyzer : public analyzer::Analyzer {
class PluginAnalyzer :  public tcp::TCP_ApplicationAnalyzer {
    PluginAnalyzer(Connection* c);
    virtual ~PluginAnalyzer();

    virtual void Init();
    virtual void Done();

    // from Analyzer.h
    virtual void UpdateConnVal(RecordVal *conn_val);
    virtual void FlipRoles();
    static bool Available()
        cout << "availability checked\n";
        return true;

    static analyzer::Analyzer* Instantiate(Connection* conn)
        { cout << "instantiate\n"; return new PluginAnalyzer(conn); }

    virtual void DeliverStream(int len, const u_char* data, bool orig);
    uint64_t total_packets;

} } // namespace analyzer::* 


#include "PluginAnalyzer.h"
#include "analyzer/protocol/tcp/TCP.h"

using namespace analyzer::mynamespace_myplugin;

PluginAnalyzer::PluginAnalyzer(Connection* c)
: tcp::TCP_ApplicationAnalyzer("MyPluginAnalyzer", c)
        cout << "pluginanalyzer constructor\n " ;


void PluginAnalyzer::Init()
    cout << "init \n";

    total_packets = 0;

void PluginAnalyzer::Done()

void PluginAnalyzer::DeliverStream(int length, const u_char* data, bool orig)
    tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig);

    cout << "deliverStream \n";

void PluginAnalyzer::UpdateConnVal(RecordVal *conn_val)
    cout << "UpdateConnVal begin\n";
    int totalidx = conn_val->Type()->AsRecordType()->FieldOffset("total_packets");
    if ( totalidx < 0 ) 
        reporter->InternalError("missing total packets field");

    conn_val->Assign(totalidx, new Val(total_packets, TYPE_COUNT));

    cout << "UpdateConnVal end\n";


void PluginAnalyzer::FlipRoles()

This is what I have done...

$ make
< no error messages >
$ sudo make install 
< no error messages >

$ export BRO_PLUGIN_PATH=~/plugin
$ export BRO_PLUGIN_ACTIVATE=mynamespace::myplugin

$ bro -N
hello world!
mynamespace::myplugin - Test_plugin (dynamic, version 0.2)
Bro::ARP - ARP Parsing (built-in)
Bro::AsciiReader - ASCII input reader (built-in)

$ rm *.log
$ bro -C -r test.pcap 
hello world!
$ ls *.log
conn.log  packet_filter.log  ssh.log

This is info about my system and installation...

$ bro -v
bro version 2.4-84

$ uname -srvpio
Linux 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 GNU/Linux

When I installed from source I used:
./configure --disable-broker
sudo make install

The plugin was originally create with the init-plugin tool
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150821/bb750776/attachment.html 

More information about the Bro mailing list