Developing a Bro protocol analyzer as a plugin

Hi all,

I’ve written an entry in my personal blog explaining how I managed to develop an analyzer as a plugin.

Any comments will be welcome. I hope it to be of some help to anybody.


Hi Luis!

Thanks for writing up your experiences. It's difficult for us sometimes to see how some of this could be confusing because there are so many technologies and mechanisms that need to be learned in order to write analyzers and other plugins. People writing about their experiences like you did can be massively helpful for us to make sure that we're on a path to making these things easier and more straight forward and also very helpful for other people learning how to do this.


Yes, thank you.

I’d like to also look over your post and see if there are specific ways we can improve our manual. In which case, would you mind us incorporating some of what you’ve written into the manual if it makes sense?


Thanks Luis for this!

OpenNSM has a couple good videos on Youtube for this as well.

Where I get lost is for protocols with more complex fields and sub fields
when trying to chain them together in the pac file definitions. It's been a
while so I can't remember specifically where I got stuck. Haven't had time
to dig into it again but it was fun to work with the little I have worked
with it so far.

Thanks for the write up!

If it helps anyone get started faster, I added some code to Vlad’s BinPAC quickstart script to automate the setup for these kinds of plugins. You can find his script here: