[Bro] New layer 2 analyzer
Dane Wullen
brot212 at googlemail.com
Tue Oct 4 00:28:49 PDT 2016
Yeah, I think that will help. Thank you.
My first goal is to write some C++ code, so that EtherCat traffic will
be detected. For someone with basic knowledge about C++, how much time
will this take?
Thanks
-Dane
Am 03.10.2016 um 21:04 schrieb Robin Sommer:
> Yeah, BinPAC isn't a good tool for layer 2 protocols. Generally Bro's
> support for layer 2 analysis lacks behind the upper layers of the
> stack, it doesn't have as much abstraction / APIs in place for adding
> new analyzers.
>
> That said, looking at ARP is actually a good starting point. See
> analyzer/protocol/arp/ARP.cc, the main work happens there in
> ARP_Analyzer::NextPacket(). The method is called from
> NetSessions::NextPacket() (in Sessions.cc) after ARP has been
> identified in Packet::ProcessLayer2() (iosource/Packet.cc)
>
> Does that help?
>
> Robin
>
More information about the Bro
mailing list