[Bro] New layer 2 analyzer

Dane Wullen brot212 at googlemail.com
Tue Oct 4 00:28:49 PDT 2016

Yeah, I think that will help. Thank you.

My first goal is to write some C++ code, so that EtherCat traffic will 
be detected. For someone with basic knowledge about C++, how much time 
will this take?



Am 03.10.2016 um 21:04 schrieb Robin Sommer:
> Yeah, BinPAC isn't a good tool for layer 2 protocols. Generally Bro's
> support for layer 2 analysis lacks behind the upper layers of the
> stack, it doesn't have as much abstraction / APIs in place for adding
> new analyzers.
> That said, looking at ARP is actually a good starting point. See
> analyzer/protocol/arp/ARP.cc, the main work happens there in
> ARP_Analyzer::NextPacket(). The method is called from
> NetSessions::NextPacket() (in Sessions.cc) after ARP has been
> identified in Packet::ProcessLayer2() (iosource/Packet.cc)
> Does that help?
> Robin

More information about the Bro mailing list