[Bro] New layer 2 analyzer

Robin Sommer robin at icir.org
Mon Oct 3 12:04:31 PDT 2016

On Mon, Oct 03, 2016 at 13:14 +0200, Dane Wullen wrote:

> Now I'm thinking about writing that analyzer without BinPAC, but I'm not
> really sure where to start. Can anyone give me a few hints or could tell me
> his/her experience in writing a new protocol analyzer with C++ for Bro?

Yeah, BinPAC isn't a good tool for layer 2 protocols. Generally Bro's
support for layer 2 analysis lacks behind the upper layers of the
stack, it doesn't have as much abstraction / APIs in place for adding
new analyzers.

That said, looking at ARP is actually a good starting point. See
analyzer/protocol/arp/ARP.cc, the main work happens there in
ARP_Analyzer::NextPacket(). The method is called from
NetSessions::NextPacket() (in Sessions.cc) after ARP has been
identified in Packet::ProcessLayer2() (iosource/Packet.cc)

Does that help?


Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin

More information about the Bro mailing list