Does Zeek allow to inspect RTP headers?

Hi all,

As far as I see here no RTP analizer has been added yet. So I have an another question regarding this topic. Is there any existing guide or tutorial explaining how I can develop an analizer for a protocol myself or should I just base it on the already existing code?

Best regards and happy Easter.


This is a great question and something I recently went through with RDPEUDP. The Syslog analyzer is a good example of a simple analyzer. The SSL analyzer is a good example of a complex analyzer.

I found comparing existing analyzers to the files which binpac_quickstart outputs very helpful. It turns out much of the code which composes an analyzer is template/boilerplate. *-protocol.pac and *-analzer.pac is where most of the analyzer will live.

The README of binpac explains its DSL fairly well. It’s much smaller than Zeek’s scripting language but harder, in my opinion, to debug. Some random thoughts on binpac:

  • I had issues using nested cases, so don’t use them
  • I ended up using temporary or “throw away” fields than I thought would be necessary
  • There are conventions but there doesn’t seem to be one way of using binpac
  • printf from proc_* functions is basically all the debugging info you get

Reading the Zeek docs on DPD, PIA, and the Signature Framework were also useful if you want your analyzer to attach to connections in a robust manner.

I hope this helps!