[Zeek] Does Zeek allow to inspect RTP headers?

[anthony kasza]

This is a great question and something I recently went through with
RDPEUDP. The Syslog analyzer is a good example of a simple analyzer. The
SSL analyzer is a good example of a complex analyzer.

I found comparing existing analyzers to the files which binpac_quickstart
outputs very helpful. It turns out much of the code which composes an
analyzer is template/boilerplate. *-protocol.pac and *-analzer.pac is where
most of the analyzer will live.

The README of binpac explains its DSL fairly well. It's much smaller than
Zeek's scripting language but harder, in my opinion, to debug. Some random
thoughts on binpac:
- I had issues using nested cases, so don't use them
- I ended up using temporary or "throw away" fields than I thought would be
necessary
- There are conventions but there doesn't seem to be one way of using binpac
- printf from proc_* functions is basically all the debugging info you get

Reading the Zeek docs on DPD, PIA, and the Signature Framework were also
useful if you want your analyzer to attach to connections in a robust
manner.

I hope this helps!

-AK

On Thu, Apr 9, 2020, 13:10 Tomek Koziak <ttomek.koziak at gmail.com> wrote:

> Hi all,
>
> As far as I see here
> <https://github.com/zeek/zeek/tree/47235b57a6854e0acf2899f5681edf1ebb7efa4a/src/analyzer/protocol> no
> RTP analizer has been added yet. So I have an another question regarding
> this topic. Is there any existing guide or tutorial explaining how I can
> develop an analizer for a protocol myself or should I just base it on the
> already existing code?
>
> Best regards and happy Easter.
>
> Tomasz
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200409/0b831ed5/attachment.html