Hi all,
As far as I see here no RTP analizer has been added yet. So I have an another question regarding this topic. Is there any existing guide or tutorial explaining how I can develop an analizer for a protocol myself or should I just base it on the already existing code?
Best regards and happy Easter.
Tomasz
This is a great question and something I recently went through with RDPEUDP. The Syslog analyzer is a good example of a simple analyzer. The SSL analyzer is a good example of a complex analyzer.
I found comparing existing analyzers to the files which binpac_quickstart outputs very helpful. It turns out much of the code which composes an analyzer is template/boilerplate. *-protocol.pac and *-analzer.pac is where most of the analyzer will live.
The README of binpac explains its DSL fairly well. It’s much smaller than Zeek’s scripting language but harder, in my opinion, to debug. Some random thoughts on binpac:
Reading the Zeek docs on DPD, PIA, and the Signature Framework were also useful if you want your analyzer to attach to connections in a robust manner.
I hope this helps!
-AK