[Bro] packet post-processor plugin

[Jeff Barber]

Still a bro newbie, so I'm looking for some guidance.

I'd like to add a packet post-processor to bro. It'll be written in C++.
Essentially I'd like to see every packet that goes through bro, along with
its Connection record (or the equivalent) if there is one. Ideally it would
be structured it as a plugin.

It looks like I could do it by triggering off of events like new_packet
(although currently that only triggers for IP packets). However, IIUC, that
still has bro packaging all the info up into a RecordVal, then I have to
decode it in my plugin event handler. That seems like quite a bit of
additional overhead on each packet.

It looks like I might also be able to do it as a PktDumper but then I just
get the raw packet data and I'd have to go re-parse headers and re-lookup
connection info - redoing work that's already been done.

What I'd really like is to simply get a call at the end of analysis for
every packet, where I'd get passed a pointer to the packet data along with
a pointer to the existing Connection record (if any). Maybe there's some
obvious way to do this that I've overlooked?

Anybody have advice for the best way to go? I'm willing to do work to make
this happen, but also would prefer not to fork bro so looking for "right
ways".

TIA,
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150519/14df2539/attachment.html